One other aspect of CobaltStrike I hadn’t seen many public YARA rules for is the HTA Beacon loader, so that’s what today’s rule tries to match.
Again, this rule uses YARA’s base64 modifier and so may not work on older versions.
rule MAL_CobaltStrike_HTA_loader {
meta:
description = "Matches strings found in CobaltStrike HTA loader samples."
last_modified = "2024-02-11"
author = "@petermstewart"
DaysofYara = "42/100"
sha256 = "2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680"
ref = "https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/"
strings:
$header = "<script>"
$a1 = "%windir%\\\\System32\\\\"
$a2 = "/c powershell -w 1 -C"
$b1 = "-namespace Win32Functions" base64 wide
$b2 = "[Byte[]];[Byte[]]$" base64 wide
$b3 = "{Start-Sleep 60};" base64 wide
$b4 = "[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(" base64 wide
$b5 = "\\syswow64\\WindowsPowerShell\\v1.0\\powershell\";iex" base64 wide
$b6 = "else{;iex \"& powershell" base64 wide
condition:
$header at 0 and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 