dfir, mostly
That’s it! #100DaysofYARA is complete for 2024. As a final post I have collected all of my rules into a single ruleset that can be used to easily triage a set of samples. Some of the rules use the base64 string modifier which may not be supported on older versions of YARA, and a few make use of regular expressions which may cause performance issues on larger sample sets.
Given the size of the ruleset it’s probably easier to just grab it directly from my Github repository.
I hope it’s helpful!
One other aspect of CobaltStrike I hadn’t seen many public YARA rules for is the HTA Beacon loader, so that’s what today’s rule tries to match.
Again, this rule uses YARA’s base64 modifier and so may not work on older versions.
rule MAL_CobaltStrike_HTA_loader {
meta:
description = "Matches strings found in CobaltStrike HTA loader samples."
last_modified = "2024-02-11"
author = "@petermstewart"
DaysofYara = "42/100"
sha256 = "2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680"
ref = "https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/"
strings:
$header = "<script>"
$a1 = "%windir%\\\\System32\\\\"
$a2 = "/c powershell -w 1 -C"
$b1 = "-namespace Win32Functions" base64 wide
$b2 = "[Byte[]];[Byte[]]$" base64 wide
$b3 = "{Start-Sleep 60};" base64 wide
$b4 = "[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(" base64 wide
$b5 = "\\syswow64\\WindowsPowerShell\\v1.0\\powershell\";iex" base64 wide
$b6 = "else{;iex \"& powershell" base64 wide
condition:
$header at 0 and
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
In my day job I most commonly find CobaltStrike Beacon payloads executed via base64-encoded PowerShell following an initial compromise; maybe phishing or a web application vulnerability leading to command execution. Encoding the command means the threat actor doesn’t need to worry about matching quotes, brackets, etc when passing the command over the channel.
This rule uses YARA’s base64 modifier to match encoded variants of the loader command.
rule MAL_CobaltStrike_Powershell_loader_base64 {
meta:
description = "Matches base64-encoded strings found in CobaltStrike PowerShell loader commands."
last_modified = "2024-02-10"
author = "@petermstewart"
DaysofYara = "41/100"
strings:
$a1 = "=New-Object IO.MemoryStream(" base64 wide
$a2 = "[Convert]::FromBase64String(" base64 wide
$a3 = "IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()" base64 wide
condition:
all of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
I deal with CobaltStrike pretty much every day in my job and in my experience it is by far the most commonly abused C2 framework. CobaltStrike isn’t new and there is already a huge collection of public research and detections available; Google, for example, published an extensive collection of YARA rules in 2022. One aspect that I did not find a public rule for though was the PowerShell Beacon loader:
rule MAL_CobaltStrike_Powershell_loader {
meta:
description = "Matches strings found in CobaltStrike PowerShell loader samples."
last_modified = "2024-02-09"
author = "@petermstewart"
DaysofYara = "40/100"
sha256 = "9c9e8841d706406bc23d05589f77eec6f8df6d5e4076bc6a762fdb423bfe8c24"
sha256 = "6881531ab756d62bdb0c3279040a5cbe92f9adfeccb201cca85b7d3cff7158d3"
ref = "https://medium.com/@cybenfolland/deobfuscating-a-powershell-cobalt-strike-beacon-loader-c650df862c34"
ref = "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/"
strings:
$a1 = "=New-Object IO.MemoryStream("
$a2 = "[Convert]::FromBase64String("
$a3 = "IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()"
$b1 = "Set-StrictMode -Version 2"
$b2 = "$DoIt = @'"
$b3 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))"
$b4 = "start-job { param($a) IEX $a }"
condition:
all of ($a*) or
all of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 