| 1 | + | rule Windows_Trojan_CobaltStrike_c851687a { |
| 2 | + | meta: |
| 3 | + | author = "Elastic Security" |
| 4 | + | id = "c851687a-aac6-43e7-a0b6-6aed36dcf12e" |
| 5 | + | fingerprint = "70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10" |
| 6 | + | creation_date = "2021-03-23" |
| 7 | + | last_modified = "2021-08-23" |
| 8 | + | description = "Identifies UAC Bypass module from Cobalt Strike" |
| 9 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 10 | + | severity = 100 |
| 11 | + | arch_context = "x86" |
| 12 | + | scan_context = "file, memory" |
| 13 | + | license = "Elastic License v2" |
| 14 | + | os = "windows" |
| 15 | + | strings: |
| 16 | + | $a1 = "bypassuac.dll" ascii fullword |
| 17 | + | $a2 = "bypassuac.x64.dll" ascii fullword |
| 18 | + | $a3 = "\\\\.\\pipe\\bypassuac" ascii fullword |
| 19 | + | $b1 = "\\System32\\sysprep\\sysprep.exe" wide fullword |
| 20 | + | $b2 = "[-] Could not write temp DLL to '%S'" ascii fullword |
| 21 | + | $b3 = "[*] Cleanup successful" ascii fullword |
| 22 | + | $b4 = "\\System32\\cliconfg.exe" wide fullword |
| 23 | + | $b5 = "\\System32\\eventvwr.exe" wide fullword |
| 24 | + | $b6 = "[-] %S ran too long. Could not terminate the process." ascii fullword |
| 25 | + | $b7 = "[*] Wrote hijack DLL to '%S'" ascii fullword |
| 26 | + | $b8 = "\\System32\\sysprep\\" wide fullword |
| 27 | + | $b9 = "[-] COM initialization failed." ascii fullword |
| 28 | + | $b10 = "[-] Privileged file copy failed: %S" ascii fullword |
| 29 | + | $b11 = "[-] Failed to start %S: %d" ascii fullword |
| 30 | + | $b12 = "ReflectiveLoader" |
| 31 | + | $b13 = "[-] '%S' exists in DLL hijack location." ascii fullword |
| 32 | + | $b14 = "[-] Cleanup failed. Remove: %S" ascii fullword |
| 33 | + | $b15 = "[+] %S ran and exited." ascii fullword |
| 34 | + | $b16 = "[+] Privileged file copy success! %S" ascii fullword |
| 35 | + | condition: |
| 36 | + | 2 of ($a*) or 10 of ($b*) |
| 37 | + | } |
| 38 | + | |
| 39 | + | rule Windows_Trojan_CobaltStrike_0b58325e { |
| 40 | + | meta: |
| 41 | + | author = "Elastic Security" |
| 42 | + | id = "0b58325e-2538-434d-9a2c-26e2c32db039" |
| 43 | + | fingerprint = "8ecd5bdce925ae5d4f90cecb9bc8c3901b54ba1c899a33354bcf529eeb2485d4" |
| 44 | + | creation_date = "2021-03-23" |
| 45 | + | last_modified = "2021-08-23" |
| 46 | + | description = "Identifies Keylogger module from Cobalt Strike" |
| 47 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 48 | + | severity = 100 |
| 49 | + | arch_context = "x86" |
| 50 | + | scan_context = "file, memory" |
| 51 | + | license = "Elastic License v2" |
| 52 | + | os = "windows" |
| 53 | + | strings: |
| 54 | + | $a1 = "keylogger.dll" ascii fullword |
| 55 | + | $a2 = "keylogger.x64.dll" ascii fullword |
| 56 | + | $a3 = "\\\\.\\pipe\\keylogger" ascii fullword |
| 57 | + | $a4 = "%cE=======%c" ascii fullword |
| 58 | + | $a5 = "[unknown: %02X]" ascii fullword |
| 59 | + | $b1 = "ReflectiveLoader" |
| 60 | + | $b2 = "%c2%s%c" ascii fullword |
| 61 | + | $b3 = "[numlock]" ascii fullword |
| 62 | + | $b4 = "%cC%s" ascii fullword |
| 63 | + | $b5 = "[backspace]" ascii fullword |
| 64 | + | $b6 = "[scroll lock]" ascii fullword |
| 65 | + | $b7 = "[control]" ascii fullword |
| 66 | + | $b8 = "[left]" ascii fullword |
| 67 | + | $b9 = "[page up]" ascii fullword |
| 68 | + | $b10 = "[page down]" ascii fullword |
| 69 | + | $b11 = "[prtscr]" ascii fullword |
| 70 | + | $b12 = "ZRich9" ascii fullword |
| 71 | + | $b13 = "[ctrl]" ascii fullword |
| 72 | + | $b14 = "[home]" ascii fullword |
| 73 | + | $b15 = "[pause]" ascii fullword |
| 74 | + | $b16 = "[clear]" ascii fullword |
| 75 | + | condition: |
| 76 | + | 1 of ($a*) and 14 of ($b*) |
| 77 | + | } |
| 78 | + | |
| 79 | + | rule Windows_Trojan_CobaltStrike_2b8cddf8 { |
| 80 | + | meta: |
| 81 | + | author = "Elastic Security" |
| 82 | + | id = "2b8cddf8-ca7a-4f85-be9d-6d8534d0482e" |
| 83 | + | fingerprint = "0d7d28d79004ca61b0cfdcda29bd95e3333e6fc6e6646a3f6ba058aa01bee188" |
| 84 | + | creation_date = "2021-03-23" |
| 85 | + | last_modified = "2021-08-23" |
| 86 | + | description = "Identifies dll load module from Cobalt Strike" |
| 87 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 88 | + | severity = 100 |
| 89 | + | arch_context = "x86" |
| 90 | + | scan_context = "file, memory" |
| 91 | + | license = "Elastic License v2" |
| 92 | + | os = "windows" |
| 93 | + | strings: |
| 94 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\dllload.x64.o" ascii fullword |
| 95 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\dllload.x86.o" ascii fullword |
| 96 | + | $b1 = "__imp_BeaconErrorDD" ascii fullword |
| 97 | + | $b2 = "__imp_BeaconErrorNA" ascii fullword |
| 98 | + | $b3 = "__imp_BeaconErrorD" ascii fullword |
| 99 | + | $b4 = "__imp_BeaconDataInt" ascii fullword |
| 100 | + | $b5 = "__imp_KERNEL32$WriteProcessMemory" ascii fullword |
| 101 | + | $b6 = "__imp_KERNEL32$OpenProcess" ascii fullword |
| 102 | + | $b7 = "__imp_KERNEL32$CreateRemoteThread" ascii fullword |
| 103 | + | $b8 = "__imp_KERNEL32$VirtualAllocEx" ascii fullword |
| 104 | + | $c1 = "__imp__BeaconErrorDD" ascii fullword |
| 105 | + | $c2 = "__imp__BeaconErrorNA" ascii fullword |
| 106 | + | $c3 = "__imp__BeaconErrorD" ascii fullword |
| 107 | + | $c4 = "__imp__BeaconDataInt" ascii fullword |
| 108 | + | $c5 = "__imp__KERNEL32$WriteProcessMemory" ascii fullword |
| 109 | + | $c6 = "__imp__KERNEL32$OpenProcess" ascii fullword |
| 110 | + | $c7 = "__imp__KERNEL32$CreateRemoteThread" ascii fullword |
| 111 | + | $c8 = "__imp__KERNEL32$VirtualAllocEx" ascii fullword |
| 112 | + | condition: |
| 113 | + | 1 of ($a*) or 5 of ($b*) or 5 of ($c*) |
| 114 | + | } |
| 115 | + | |
| 116 | + | rule Windows_Trojan_CobaltStrike_59b44767 { |
| 117 | + | meta: |
| 118 | + | author = "Elastic Security" |
| 119 | + | id = "59b44767-c9a5-42c0-b177-7fe49afd7dfb" |
| 120 | + | fingerprint = "882886a282ec78623a0d3096be3d324a8a1b8a23bcb88ea0548df2fae5e27aa5" |
| 121 | + | creation_date = "2021-03-23" |
| 122 | + | last_modified = "2021-08-23" |
| 123 | + | description = "Identifies getsystem module from Cobalt Strike" |
| 124 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 125 | + | severity = 100 |
| 126 | + | arch_context = "x86" |
| 127 | + | scan_context = "file, memory" |
| 128 | + | license = "Elastic License v2" |
| 129 | + | os = "windows" |
| 130 | + | strings: |
| 131 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\getsystem.x86.o" ascii fullword |
| 132 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\getsystem.x64.o" ascii fullword |
| 133 | + | $b1 = "getsystem failed." ascii fullword |
| 134 | + | $b2 = "_isSystemSID" ascii fullword |
| 135 | + | $b3 = "__imp__NTDLL$NtQuerySystemInformation@16" ascii fullword |
| 136 | + | $c1 = "getsystem failed." ascii fullword |
| 137 | + | $c2 = "$pdata$isSystemSID" ascii fullword |
| 138 | + | $c3 = "$unwind$isSystemSID" ascii fullword |
| 139 | + | $c4 = "__imp_NTDLL$NtQuerySystemInformation" ascii fullword |
| 140 | + | condition: |
| 141 | + | 1 of ($a*) or 3 of ($b*) or 3 of ($c*) |
| 142 | + | } |
| 143 | + | |
| 144 | + | rule Windows_Trojan_CobaltStrike_7efd3c3f { |
| 145 | + | meta: |
| 146 | + | author = "Elastic Security" |
| 147 | + | id = "7efd3c3f-1104-4b46-9d1e-dc2c62381b8c" |
| 148 | + | fingerprint = "9e7c7c9a7436f5ee4c27fd46d6f06e7c88f4e4d1166759573cedc3ed666e1838" |
| 149 | + | creation_date = "2021-03-23" |
| 150 | + | last_modified = "2021-08-23" |
| 151 | + | description = "Identifies Hashdump module from Cobalt Strike" |
| 152 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 153 | + | severity = 70 |
| 154 | + | arch_context = "x86" |
| 155 | + | scan_context = "file, memory" |
| 156 | + | license = "Elastic License v2" |
| 157 | + | os = "windows" |
| 158 | + | strings: |
| 159 | + | $a1 = "hashdump.dll" ascii fullword |
| 160 | + | $a2 = "hashdump.x64.dll" ascii fullword |
| 161 | + | $a3 = "\\\\.\\pipe\\hashdump" ascii fullword |
| 162 | + | $a4 = "ReflectiveLoader" |
| 163 | + | $a5 = "Global\\SAM" ascii fullword |
| 164 | + | $a6 = "Global\\FREE" ascii fullword |
| 165 | + | $a7 = "[-] no results." ascii fullword |
| 166 | + | condition: |
| 167 | + | 4 of ($a*) |
| 168 | + | } |
| 169 | + | |
| 170 | + | rule Windows_Trojan_CobaltStrike_6e971281 { |
| 171 | + | meta: |
| 172 | + | author = "Elastic Security" |
| 173 | + | id = "6e971281-3ee3-402f-8a72-745ec8fb91fb" |
| 174 | + | fingerprint = "62d97cf73618a1b4d773d5494b2761714be53d5cda774f9a96eaa512c8d5da12" |
| 175 | + | creation_date = "2021-03-23" |
| 176 | + | last_modified = "2021-08-23" |
| 177 | + | description = "Identifies Interfaces module from Cobalt Strike" |
| 178 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 179 | + | severity = 100 |
| 180 | + | arch_context = "x86" |
| 181 | + | scan_context = "file, memory" |
| 182 | + | license = "Elastic License v2" |
| 183 | + | os = "windows" |
| 184 | + | strings: |
| 185 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\interfaces.x64.o" ascii fullword |
| 186 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\interfaces.x86.o" ascii fullword |
| 187 | + | $b1 = "__imp_BeaconFormatAlloc" ascii fullword |
| 188 | + | $b2 = "__imp_BeaconFormatPrintf" ascii fullword |
| 189 | + | $b3 = "__imp_BeaconOutput" ascii fullword |
| 190 | + | $b4 = "__imp_KERNEL32$LocalAlloc" ascii fullword |
| 191 | + | $b5 = "__imp_KERNEL32$LocalFree" ascii fullword |
| 192 | + | $b6 = "__imp_LoadLibraryA" ascii fullword |
| 193 | + | $c1 = "__imp__BeaconFormatAlloc" ascii fullword |
| 194 | + | $c2 = "__imp__BeaconFormatPrintf" ascii fullword |
| 195 | + | $c3 = "__imp__BeaconOutput" ascii fullword |
| 196 | + | $c4 = "__imp__KERNEL32$LocalAlloc" ascii fullword |
| 197 | + | $c5 = "__imp__KERNEL32$LocalFree" ascii fullword |
| 198 | + | $c6 = "__imp__LoadLibraryA" ascii fullword |
| 199 | + | condition: |
| 200 | + | 1 of ($a*) or 4 of ($b*) or 4 of ($c*) |
| 201 | + | } |
| 202 | + | |
| 203 | + | rule Windows_Trojan_CobaltStrike_09b79efa { |
| 204 | + | meta: |
| 205 | + | author = "Elastic Security" |
| 206 | + | id = "09b79efa-55d7-481d-9ee0-74ac5f787cef" |
| 207 | + | fingerprint = "04ef6555e8668c56c528dc62184331a6562f47652c73de732e5f7c82779f2fd8" |
| 208 | + | creation_date = "2021-03-23" |
| 209 | + | last_modified = "2021-08-23" |
| 210 | + | description = "Identifies Invoke Assembly module from Cobalt Strike" |
| 211 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 212 | + | severity = 100 |
| 213 | + | arch_context = "x86" |
| 214 | + | scan_context = "file, memory" |
| 215 | + | license = "Elastic License v2" |
| 216 | + | os = "windows" |
| 217 | + | strings: |
| 218 | + | $a1 = "invokeassembly.x64.dll" ascii fullword |
| 219 | + | $a2 = "invokeassembly.dll" ascii fullword |
| 220 | + | $b1 = "[-] Failed to get default AppDomain w/hr 0x%08lx" ascii fullword |
| 221 | + | $b2 = "[-] Failed to load the assembly w/hr 0x%08lx" ascii fullword |
| 222 | + | $b3 = "[-] Failed to create the runtime host" ascii fullword |
| 223 | + | $b4 = "[-] Invoke_3 on EntryPoint failed." ascii fullword |
| 224 | + | $b5 = "[-] CLR failed to start w/hr 0x%08lx" ascii fullword |
| 225 | + | $b6 = "ReflectiveLoader" |
| 226 | + | $b7 = ".NET runtime [ver %S] cannot be loaded" ascii fullword |
| 227 | + | $b8 = "[-] No .NET runtime found. :(" ascii fullword |
| 228 | + | $b9 = "[-] ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx" ascii fullword |
| 229 | + | $c1 = { FF 57 0C 85 C0 78 40 8B 45 F8 8D 55 F4 8B 08 52 50 } |
| 230 | + | condition: |
| 231 | + | 1 of ($a*) or 3 of ($b*) or 1 of ($c*) |
| 232 | + | } |
| 233 | + | |
| 234 | + | rule Windows_Trojan_CobaltStrike_6e77233e { |
| 235 | + | meta: |
| 236 | + | author = "Elastic Security" |
| 237 | + | id = "6e77233e-7fb4-4295-823d-f97786c5d9c4" |
| 238 | + | fingerprint = "cef2949eae78b1c321c2ec4010749a5ac0551d680bd5eb85493fc88c5227d285" |
| 239 | + | creation_date = "2021-03-23" |
| 240 | + | last_modified = "2021-08-23" |
| 241 | + | description = "Identifies Kerberos module from Cobalt Strike" |
| 242 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 243 | + | severity = 100 |
| 244 | + | arch_context = "x86" |
| 245 | + | scan_context = "file, memory" |
| 246 | + | license = "Elastic License v2" |
| 247 | + | os = "windows" |
| 248 | + | strings: |
| 249 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\kerberos.x64.o" ascii fullword |
| 250 | + | $a2 = "$unwind$command_kerberos_ticket_use" ascii fullword |
| 251 | + | $a3 = "$pdata$command_kerberos_ticket_use" ascii fullword |
| 252 | + | $a4 = "command_kerberos_ticket_use" ascii fullword |
| 253 | + | $a5 = "$pdata$command_kerberos_ticket_purge" ascii fullword |
| 254 | + | $a6 = "command_kerberos_ticket_purge" ascii fullword |
| 255 | + | $a7 = "$unwind$command_kerberos_ticket_purge" ascii fullword |
| 256 | + | $a8 = "$unwind$kerberos_init" ascii fullword |
| 257 | + | $a9 = "$unwind$KerberosTicketUse" ascii fullword |
| 258 | + | $a10 = "KerberosTicketUse" ascii fullword |
| 259 | + | $a11 = "$unwind$KerberosTicketPurge" ascii fullword |
| 260 | + | $b1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\kerberos.x86.o" ascii fullword |
| 261 | + | $b2 = "_command_kerberos_ticket_use" ascii fullword |
| 262 | + | $b3 = "_command_kerberos_ticket_purge" ascii fullword |
| 263 | + | $b4 = "_kerberos_init" ascii fullword |
| 264 | + | $b5 = "_KerberosTicketUse" ascii fullword |
| 265 | + | $b6 = "_KerberosTicketPurge" ascii fullword |
| 266 | + | $b7 = "_LsaCallKerberosPackage" ascii fullword |
| 267 | + | condition: |
| 268 | + | 5 of ($a*) or 3 of ($b*) |
| 269 | + | } |
| 270 | + | |
| 271 | + | rule Windows_Trojan_CobaltStrike_de42495a { |
| 272 | + | meta: |
| 273 | + | author = "Elastic Security" |
| 274 | + | id = "de42495a-0002-466e-98b9-19c9ebb9240e" |
| 275 | + | fingerprint = "dab3c25809ec3af70df5a8a04a2efd4e8ecb13a4c87001ea699e7a1512973b82" |
| 276 | + | creation_date = "2021-03-23" |
| 277 | + | last_modified = "2021-08-23" |
| 278 | + | description = "Identifies Mimikatz module from Cobalt Strike" |
| 279 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 280 | + | severity = 100 |
| 281 | + | arch_context = "x86" |
| 282 | + | scan_context = "file, memory" |
| 283 | + | license = "Elastic License v2" |
| 284 | + | os = "windows" |
| 285 | + | strings: |
| 286 | + | $a1 = "\\\\.\\pipe\\mimikatz" ascii fullword |
| 287 | + | $b1 = "ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Da" wide |
| 288 | + | $b2 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" wide fullword |
| 289 | + | $b3 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO" wide fullword |
| 290 | + | $b4 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO" wide fullword |
| 291 | + | $b5 = "ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)" wide fullword |
| 292 | + | $b6 = "ERROR kuhl_m_lsadump_enumdomains_users ; SamLookupNamesInDomain: %08x" wide fullword |
| 293 | + | $b7 = "mimikatz(powershell) # %s" wide fullword |
| 294 | + | $b8 = "powershell_reflective_mimikatz" ascii fullword |
| 295 | + | $b9 = "mimikatz_dpapi_cache.ndr" wide fullword |
| 296 | + | $b10 = "mimikatz.log" wide fullword |
| 297 | + | $b11 = "ERROR mimikatz_doLocal" wide |
| 298 | + | $b12 = "mimikatz_x64.compressed" wide |
| 299 | + | condition: |
| 300 | + | 1 of ($a*) and 7 of ($b*) |
| 301 | + | } |
| 302 | + | |
| 303 | + | rule Windows_Trojan_CobaltStrike_72f68375 { |
| 304 | + | meta: |
| 305 | + | author = "Elastic Security" |
| 306 | + | id = "72f68375-35ab-49cc-905d-15302389a236" |
| 307 | + | fingerprint = "ecc28f414b2c347722b681589da8529c6f3af0491845453874f8fd87c2ae86d7" |
| 308 | + | creation_date = "2021-03-23" |
| 309 | + | last_modified = "2021-08-23" |
| 310 | + | description = "Identifies Netdomain module from Cobalt Strike" |
| 311 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 312 | + | severity = 100 |
| 313 | + | arch_context = "x86" |
| 314 | + | scan_context = "file, memory" |
| 315 | + | license = "Elastic License v2" |
| 316 | + | os = "windows" |
| 317 | + | strings: |
| 318 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\net_domain.x64.o" ascii fullword |
| 319 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\net_domain.x86.o" ascii fullword |
| 320 | + | $b1 = "__imp_BeaconPrintf" ascii fullword |
| 321 | + | $b2 = "__imp_NETAPI32$NetApiBufferFree" ascii fullword |
| 322 | + | $b3 = "__imp_NETAPI32$DsGetDcNameA" ascii fullword |
| 323 | + | $c1 = "__imp__BeaconPrintf" ascii fullword |
| 324 | + | $c2 = "__imp__NETAPI32$NetApiBufferFree" ascii fullword |
| 325 | + | $c3 = "__imp__NETAPI32$DsGetDcNameA" ascii fullword |
| 326 | + | condition: |
| 327 | + | 1 of ($a*) or 2 of ($b*) or 2 of ($c*) |
| 328 | + | } |
| 329 | + | |
| 330 | + | rule Windows_Trojan_CobaltStrike_15f680fb { |
| 331 | + | meta: |
| 332 | + | author = "Elastic Security" |
| 333 | + | id = "15f680fb-a04f-472d-a182-0b9bee111351" |
| 334 | + | fingerprint = "0ecb8e41c01bf97d6dea4cf6456b769c6dd2a037b37d754f38580bcf561e1d2c" |
| 335 | + | creation_date = "2021-03-23" |
| 336 | + | last_modified = "2021-08-23" |
| 337 | + | description = "Identifies Netview module from Cobalt Strike" |
| 338 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 339 | + | severity = 100 |
| 340 | + | arch_context = "x86" |
| 341 | + | scan_context = "file, memory" |
| 342 | + | license = "Elastic License v2" |
| 343 | + | os = "windows" |
| 344 | + | strings: |
| 345 | + | $a1 = "netview.x64.dll" ascii fullword |
| 346 | + | $a2 = "netview.dll" ascii fullword |
| 347 | + | $a3 = "\\\\.\\pipe\\netview" ascii fullword |
| 348 | + | $b1 = "Sessions for \\\\%s:" ascii fullword |
| 349 | + | $b2 = "Account information for %s on \\\\%s:" ascii fullword |
| 350 | + | $b3 = "Users for \\\\%s:" ascii fullword |
| 351 | + | $b4 = "Shares at \\\\%s:" ascii fullword |
| 352 | + | $b5 = "ReflectiveLoader" ascii fullword |
| 353 | + | $b6 = "Password changeable" ascii fullword |
| 354 | + | $b7 = "User's Comment" wide fullword |
| 355 | + | $b8 = "List of hosts for domain '%s':" ascii fullword |
| 356 | + | $b9 = "Password changeable" ascii fullword |
| 357 | + | $b10 = "Logged on users at \\\\%s:" ascii fullword |
| 358 | + | condition: |
| 359 | + | 2 of ($a*) or 6 of ($b*) |
| 360 | + | } |
| 361 | + | |
| 362 | + | rule Windows_Trojan_CobaltStrike_5b4383ec { |
| 363 | + | meta: |
| 364 | + | author = "Elastic Security" |
| 365 | + | id = "5b4383ec-3c93-4e91-850e-d43cc3a86710" |
| 366 | + | fingerprint = "283d3d2924e92b31f26ec4fc6b79c51bd652fb1377b6985b003f09f8c3dba66c" |
| 367 | + | creation_date = "2021-03-23" |
| 368 | + | last_modified = "2021-08-23" |
| 369 | + | description = "Identifies Portscan module from Cobalt Strike" |
| 370 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 371 | + | severity = 100 |
| 372 | + | arch_context = "x86" |
| 373 | + | scan_context = "file, memory" |
| 374 | + | license = "Elastic License v2" |
| 375 | + | os = "windows" |
| 376 | + | strings: |
| 377 | + | $a1 = "portscan.x64.dll" ascii fullword |
| 378 | + | $a2 = "portscan.dll" ascii fullword |
| 379 | + | $a3 = "\\\\.\\pipe\\portscan" ascii fullword |
| 380 | + | $b1 = "(ICMP) Target '%s' is alive. [read %d bytes]" ascii fullword |
| 381 | + | $b2 = "(ARP) Target '%s' is alive. " ascii fullword |
| 382 | + | $b3 = "TARGETS!12345" ascii fullword |
| 383 | + | $b4 = "ReflectiveLoader" ascii fullword |
| 384 | + | $b5 = "%s:%d (platform: %d version: %d.%d name: %S domain: %S)" ascii fullword |
| 385 | + | $b6 = "Scanner module is complete" ascii fullword |
| 386 | + | $b7 = "pingpong" ascii fullword |
| 387 | + | $b8 = "PORTS!12345" ascii fullword |
| 388 | + | $b9 = "%s:%d (%s)" ascii fullword |
| 389 | + | $b10 = "PREFERENCES!12345" ascii fullword |
| 390 | + | condition: |
| 391 | + | 2 of ($a*) or 6 of ($b*) |
| 392 | + | } |
| 393 | + | |
| 394 | + | rule Windows_Trojan_CobaltStrike_91e08059 { |
| 395 | + | meta: |
| 396 | + | author = "Elastic Security" |
| 397 | + | id = "91e08059-46a8-47d0-91c9-e86874951a4a" |
| 398 | + | fingerprint = "d8baacb58a3db00489827275ad6a2d007c018eaecbce469356b068d8a758634b" |
| 399 | + | creation_date = "2021-03-23" |
| 400 | + | last_modified = "2021-08-23" |
| 401 | + | description = "Identifies Post Ex module from Cobalt Strike" |
| 402 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 403 | + | severity = 100 |
| 404 | + | arch_context = "x86" |
| 405 | + | scan_context = "file, memory" |
| 406 | + | license = "Elastic License v2" |
| 407 | + | os = "windows" |
| 408 | + | strings: |
| 409 | + | $a1 = "postex.x64.dll" ascii fullword |
| 410 | + | $a2 = "postex.dll" ascii fullword |
| 411 | + | $a3 = "RunAsAdminCMSTP" ascii fullword |
| 412 | + | $a4 = "KerberosTicketPurge" ascii fullword |
| 413 | + | $b1 = "GetSystem" ascii fullword |
| 414 | + | $b2 = "HelloWorld" ascii fullword |
| 415 | + | $b3 = "KerberosTicketUse" ascii fullword |
| 416 | + | $b4 = "SpawnAsAdmin" ascii fullword |
| 417 | + | $b5 = "RunAsAdmin" ascii fullword |
| 418 | + | $b6 = "NetDomain" ascii fullword |
| 419 | + | condition: |
| 420 | + | 2 of ($a*) or 4 of ($b*) |
| 421 | + | } |
| 422 | + | |
| 423 | + | rule Windows_Trojan_CobaltStrike_ee756db7 { |
| 424 | + | meta: |
| 425 | + | author = "Elastic Security" |
| 426 | + | id = "ee756db7-e177-41f0-af99-c44646d334f7" |
| 427 | + | fingerprint = "e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71" |
| 428 | + | creation_date = "2021-03-23" |
| 429 | + | last_modified = "2021-08-23" |
| 430 | + | description = "Attempts to detect Cobalt Strike based on strings found in BEACON" |
| 431 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 432 | + | severity = 100 |
| 433 | + | arch_context = "x86" |
| 434 | + | scan_context = "file, memory" |
| 435 | + | license = "Elastic License v2" |
| 436 | + | os = "windows" |
| 437 | + | strings: |
| 438 | + | $a1 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 439 | + | $a2 = "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 440 | + | $a3 = "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset." ascii fullword |
| 441 | + | $a4 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword |
| 442 | + | $a5 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')" ascii fullword |
| 443 | + | $a6 = "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 444 | + | $a7 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword |
| 445 | + | $a8 = "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 446 | + | $a9 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 447 | + | $a10 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword |
| 448 | + | $a11 = "Could not open service control manager on %s: %d" ascii fullword |
| 449 | + | $a12 = "%d is an x64 process (can't inject x86 content)" ascii fullword |
| 450 | + | $a13 = "%d is an x86 process (can't inject x64 content)" ascii fullword |
| 451 | + | $a14 = "Failed to impersonate logged on user %d (%u)" ascii fullword |
| 452 | + | $a15 = "could not create remote thread in %d: %d" ascii fullword |
| 453 | + | $a16 = "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 454 | + | $a17 = "could not write to process memory: %d" ascii fullword |
| 455 | + | $a18 = "Could not create service %s on %s: %d" ascii fullword |
| 456 | + | $a19 = "Could not delete service %s on %s: %d" ascii fullword |
| 457 | + | $a20 = "Could not open process token: %d (%u)" ascii fullword |
| 458 | + | $a21 = "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 459 | + | $a22 = "Could not start service %s on %s: %d" ascii fullword |
| 460 | + | $a23 = "Could not query service %s on %s: %d" ascii fullword |
| 461 | + | $a24 = "Could not connect to pipe (%s): %d" ascii fullword |
| 462 | + | $a25 = "%s.1%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 463 | + | $a26 = "could not spawn %s (token): %d" ascii fullword |
| 464 | + | $a27 = "could not open process %d: %d" ascii fullword |
| 465 | + | $a28 = "could not run %s as %s\\%s: %d" ascii fullword |
| 466 | + | $a29 = "%s.1%08x%08x%08x%08x.%x%x.%s" ascii fullword |
| 467 | + | $a30 = "kerberos ticket use failed:" ascii fullword |
| 468 | + | $a31 = "Started service %s on %s" ascii fullword |
| 469 | + | $a32 = "%s.1%08x%08x%08x.%x%x.%s" ascii fullword |
| 470 | + | $a33 = "I'm already in SMB mode" ascii fullword |
| 471 | + | $a34 = "could not spawn %s: %d" ascii fullword |
| 472 | + | $a35 = "could not open %s: %d" ascii fullword |
| 473 | + | $a36 = "%s.1%08x%08x.%x%x.%s" ascii fullword |
| 474 | + | $a37 = "Could not open '%s'" ascii fullword |
| 475 | + | $a38 = "%s.1%08x.%x%x.%s" ascii fullword |
| 476 | + | $a39 = "%s as %s\\%s: %d" ascii fullword |
| 477 | + | $a40 = "%s.1%x.%x%x.%s" ascii fullword |
| 478 | + | $a41 = "beacon.x64.dll" ascii fullword |
| 479 | + | $a42 = "%s on %s: %d" ascii fullword |
| 480 | + | $a43 = "www6.%x%x.%s" ascii fullword |
| 481 | + | $a44 = "cdn.%x%x.%s" ascii fullword |
| 482 | + | $a45 = "api.%x%x.%s" ascii fullword |
| 483 | + | $a46 = "%s (admin)" ascii fullword |
| 484 | + | $a47 = "beacon.dll" ascii fullword |
| 485 | + | $a48 = "%s%s: %s" ascii fullword |
| 486 | + | $a49 = "@%d.%s" ascii fullword |
| 487 | + | $a50 = "%02d/%02d/%02d %02d:%02d:%02d" ascii fullword |
| 488 | + | $a51 = "Content-Length: %d" ascii fullword |
| 489 | + | condition: |
| 490 | + | 6 of ($a*) |
| 491 | + | } |
| 492 | + | |
| 493 | + | rule Windows_Trojan_CobaltStrike_9c0d5561 { |
| 494 | + | meta: |
| 495 | + | author = "Elastic Security" |
| 496 | + | id = "9c0d5561-5b09-44ae-8e8c-336dee606199" |
| 497 | + | fingerprint = "01d53fcdb320f0cd468a2521c3e96dcb0b9aa00e7a7a9442069773c6b3759059" |
| 498 | + | creation_date = "2021-03-23" |
| 499 | + | last_modified = "2021-10-04" |
| 500 | + | description = "Identifies PowerShell Runner module from Cobalt Strike" |
| 501 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 502 | + | severity = 100 |
| 503 | + | arch_context = "x86" |
| 504 | + | scan_context = "file, memory" |
| 505 | + | license = "Elastic License v2" |
| 506 | + | os = "windows" |
| 507 | + | strings: |
| 508 | + | $a1 = "PowerShellRunner.dll" wide fullword |
| 509 | + | $a2 = "powershell.x64.dll" ascii fullword |
| 510 | + | $a3 = "powershell.dll" ascii fullword |
| 511 | + | $a4 = "\\\\.\\pipe\\powershell" ascii fullword |
| 512 | + | $b1 = "PowerShellRunner.PowerShellRunner" ascii fullword |
| 513 | + | $b2 = "Failed to invoke GetOutput w/hr 0x%08lx" ascii fullword |
| 514 | + | $b3 = "Failed to get default AppDomain w/hr 0x%08lx" ascii fullword |
| 515 | + | $b4 = "ICLRMetaHost::GetRuntime (v4.0.30319) failed w/hr 0x%08lx" ascii fullword |
| 516 | + | $b5 = "CustomPSHostUserInterface" ascii fullword |
| 517 | + | $b6 = "RuntimeClrHost::GetCurrentAppDomainId failed w/hr 0x%08lx" ascii fullword |
| 518 | + | $b7 = "ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx" ascii fullword |
| 519 | + | $c1 = { 8B 08 50 FF 51 08 8B 7C 24 1C 8D 4C 24 10 51 C7 } |
| 520 | + | $c2 = "z:\\devcenter\\aggressor\\external\\PowerShellRunner\\obj\\Release\\PowerShellRunner.pdb" ascii fullword |
| 521 | + | condition: |
| 522 | + | (1 of ($a*) and 4 of ($b*)) or 1 of ($c*) |
| 523 | + | } |
| 524 | + | |
| 525 | + | rule Windows_Trojan_CobaltStrike_59ed9124 { |
| 526 | + | meta: |
| 527 | + | author = "Elastic Security" |
| 528 | + | id = "59ed9124-bc20-4ea6-b0a7-63ee3359e69c" |
| 529 | + | fingerprint = "7823e3b98e55a83bf94b0f07e4c116dbbda35adc09fa0b367f8a978a80c2efff" |
| 530 | + | creation_date = "2021-03-23" |
| 531 | + | last_modified = "2021-08-23" |
| 532 | + | description = "Identifies PsExec module from Cobalt Strike" |
| 533 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 534 | + | severity = 100 |
| 535 | + | arch_context = "x86" |
| 536 | + | scan_context = "file, memory" |
| 537 | + | license = "Elastic License v2" |
| 538 | + | os = "windows" |
| 539 | + | strings: |
| 540 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\psexec_command.x64.o" ascii fullword |
| 541 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\psexec_command.x86.o" ascii fullword |
| 542 | + | $b1 = "__imp_BeaconDataExtract" ascii fullword |
| 543 | + | $b2 = "__imp_BeaconDataParse" ascii fullword |
| 544 | + | $b3 = "__imp_BeaconDataParse" ascii fullword |
| 545 | + | $b4 = "__imp_BeaconDataParse" ascii fullword |
| 546 | + | $b5 = "__imp_ADVAPI32$StartServiceA" ascii fullword |
| 547 | + | $b6 = "__imp_ADVAPI32$DeleteService" ascii fullword |
| 548 | + | $b7 = "__imp_ADVAPI32$QueryServiceStatus" ascii fullword |
| 549 | + | $b8 = "__imp_ADVAPI32$CloseServiceHandle" ascii fullword |
| 550 | + | $c1 = "__imp__BeaconDataExtract" ascii fullword |
| 551 | + | $c2 = "__imp__BeaconDataParse" ascii fullword |
| 552 | + | $c3 = "__imp__BeaconDataParse" ascii fullword |
| 553 | + | $c4 = "__imp__BeaconDataParse" ascii fullword |
| 554 | + | $c5 = "__imp__ADVAPI32$StartServiceA" ascii fullword |
| 555 | + | $c6 = "__imp__ADVAPI32$DeleteService" ascii fullword |
| 556 | + | $c7 = "__imp__ADVAPI32$QueryServiceStatus" ascii fullword |
| 557 | + | $c8 = "__imp__ADVAPI32$CloseServiceHandle" ascii fullword |
| 558 | + | condition: |
| 559 | + | 1 of ($a*) or 5 of ($b*) or 5 of ($c*) |
| 560 | + | } |
| 561 | + | |
| 562 | + | rule Windows_Trojan_CobaltStrike_8a791eb7 { |
| 563 | + | meta: |
| 564 | + | author = "Elastic Security" |
| 565 | + | id = "8a791eb7-dc0c-4150-9e5b-2dc21af0c77d" |
| 566 | + | fingerprint = "4967886ba5e663f2e2dc0631939308d7d8f2194a30590a230973e1b91bd625e1" |
| 567 | + | creation_date = "2021-03-23" |
| 568 | + | last_modified = "2021-08-23" |
| 569 | + | description = "Identifies Registry module from Cobalt Strike" |
| 570 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 571 | + | severity = 100 |
| 572 | + | arch_context = "x86" |
| 573 | + | scan_context = "file, memory" |
| 574 | + | license = "Elastic License v2" |
| 575 | + | os = "windows" |
| 576 | + | strings: |
| 577 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\registry.x64.o" ascii fullword |
| 578 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\registry.x86.o" ascii fullword |
| 579 | + | $b1 = "__imp_ADVAPI32$RegOpenKeyExA" ascii fullword |
| 580 | + | $b2 = "__imp_ADVAPI32$RegEnumKeyA" ascii fullword |
| 581 | + | $b3 = "__imp_ADVAPI32$RegOpenCurrentUser" ascii fullword |
| 582 | + | $b4 = "__imp_ADVAPI32$RegCloseKey" ascii fullword |
| 583 | + | $b5 = "__imp_BeaconFormatAlloc" ascii fullword |
| 584 | + | $b6 = "__imp_BeaconOutput" ascii fullword |
| 585 | + | $b7 = "__imp_BeaconFormatFree" ascii fullword |
| 586 | + | $b8 = "__imp_BeaconDataPtr" ascii fullword |
| 587 | + | $c1 = "__imp__ADVAPI32$RegOpenKeyExA" ascii fullword |
| 588 | + | $c2 = "__imp__ADVAPI32$RegEnumKeyA" ascii fullword |
| 589 | + | $c3 = "__imp__ADVAPI32$RegOpenCurrentUser" ascii fullword |
| 590 | + | $c4 = "__imp__ADVAPI32$RegCloseKey" ascii fullword |
| 591 | + | $c5 = "__imp__BeaconFormatAlloc" ascii fullword |
| 592 | + | $c6 = "__imp__BeaconOutput" ascii fullword |
| 593 | + | $c7 = "__imp__BeaconFormatFree" ascii fullword |
| 594 | + | $c8 = "__imp__BeaconDataPtr" ascii fullword |
| 595 | + | condition: |
| 596 | + | 1 of ($a*) or 5 of ($b*) or 5 of ($c*) |
| 597 | + | } |
| 598 | + | |
| 599 | + | rule Windows_Trojan_CobaltStrike_d00573a3 { |
| 600 | + | meta: |
| 601 | + | author = "Elastic Security" |
| 602 | + | id = "d00573a3-db26-4e6b-aabf-7af4a818f383" |
| 603 | + | fingerprint = "b6fa0792b99ea55f359858d225685647f54b55caabe53f58b413083b8ad60e79" |
| 604 | + | creation_date = "2021-03-23" |
| 605 | + | last_modified = "2021-08-23" |
| 606 | + | description = "Identifies Screenshot module from Cobalt Strike" |
| 607 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 608 | + | severity = 100 |
| 609 | + | arch_context = "x86" |
| 610 | + | scan_context = "file, memory" |
| 611 | + | license = "Elastic License v2" |
| 612 | + | os = "windows" |
| 613 | + | strings: |
| 614 | + | $a1 = "screenshot.x64.dll" ascii fullword |
| 615 | + | $a2 = "screenshot.dll" ascii fullword |
| 616 | + | $a3 = "\\\\.\\pipe\\screenshot" ascii fullword |
| 617 | + | $b1 = "1I1n1Q3M5Q5U5Y5]5a5e5i5u5{5" ascii fullword |
| 618 | + | $b2 = "GetDesktopWindow" ascii fullword |
| 619 | + | $b3 = "CreateCompatibleBitmap" ascii fullword |
| 620 | + | $b4 = "GDI32.dll" ascii fullword |
| 621 | + | $b5 = "ReflectiveLoader" |
| 622 | + | $b6 = "Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d" ascii fullword |
| 623 | + | condition: |
| 624 | + | 2 of ($a*) or 5 of ($b*) |
| 625 | + | } |
| 626 | + | |
| 627 | + | rule Windows_Trojan_CobaltStrike_7bcd759c { |
| 628 | + | meta: |
| 629 | + | author = "Elastic Security" |
| 630 | + | id = "7bcd759c-8e3d-4559-9381-1f4fe8b3dd95" |
| 631 | + | fingerprint = "553085f1d1ca8dcd797360b287951845753eee7370610a1223c815a200a5ed20" |
| 632 | + | creation_date = "2021-03-23" |
| 633 | + | last_modified = "2021-08-23" |
| 634 | + | description = "Identifies SSH Agent module from Cobalt Strike" |
| 635 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 636 | + | severity = 100 |
| 637 | + | arch_context = "x86" |
| 638 | + | scan_context = "file, memory" |
| 639 | + | license = "Elastic License v2" |
| 640 | + | os = "windows" |
| 641 | + | strings: |
| 642 | + | $a1 = "sshagent.x64.dll" ascii fullword |
| 643 | + | $a2 = "sshagent.dll" ascii fullword |
| 644 | + | $b1 = "\\\\.\\pipe\\sshagent" ascii fullword |
| 645 | + | $b2 = "\\\\.\\pipe\\PIPEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii fullword |
| 646 | + | condition: |
| 647 | + | 1 of ($a*) and 1 of ($b*) |
| 648 | + | } |
| 649 | + | |
| 650 | + | rule Windows_Trojan_CobaltStrike_a56b820f { |
| 651 | + | meta: |
| 652 | + | author = "Elastic Security" |
| 653 | + | id = "a56b820f-0a20-4054-9c2d-008862646a78" |
| 654 | + | fingerprint = "5418e695bcb1c37e72a7ff24a39219dc12b3fe06c29cedefd500c5e82c362b6d" |
| 655 | + | creation_date = "2021-03-23" |
| 656 | + | last_modified = "2021-08-23" |
| 657 | + | description = "Identifies Timestomp module from Cobalt Strike" |
| 658 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 659 | + | severity = 100 |
| 660 | + | arch_context = "x86" |
| 661 | + | scan_context = "file, memory" |
| 662 | + | license = "Elastic License v2" |
| 663 | + | os = "windows" |
| 664 | + | strings: |
| 665 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\timestomp.x64.o" ascii fullword |
| 666 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\timestomp.x86.o" ascii fullword |
| 667 | + | $b1 = "__imp_KERNEL32$GetFileTime" ascii fullword |
| 668 | + | $b2 = "__imp_KERNEL32$SetFileTime" ascii fullword |
| 669 | + | $b3 = "__imp_KERNEL32$CloseHandle" ascii fullword |
| 670 | + | $b4 = "__imp_KERNEL32$CreateFileA" ascii fullword |
| 671 | + | $b5 = "__imp_BeaconDataExtract" ascii fullword |
| 672 | + | $b6 = "__imp_BeaconPrintf" ascii fullword |
| 673 | + | $b7 = "__imp_BeaconDataParse" ascii fullword |
| 674 | + | $b8 = "__imp_BeaconDataExtract" ascii fullword |
| 675 | + | $c1 = "__imp__KERNEL32$GetFileTime" ascii fullword |
| 676 | + | $c2 = "__imp__KERNEL32$SetFileTime" ascii fullword |
| 677 | + | $c3 = "__imp__KERNEL32$CloseHandle" ascii fullword |
| 678 | + | $c4 = "__imp__KERNEL32$CreateFileA" ascii fullword |
| 679 | + | $c5 = "__imp__BeaconDataExtract" ascii fullword |
| 680 | + | $c6 = "__imp__BeaconPrintf" ascii fullword |
| 681 | + | $c7 = "__imp__BeaconDataParse" ascii fullword |
| 682 | + | $c8 = "__imp__BeaconDataExtract" ascii fullword |
| 683 | + | condition: |
| 684 | + | 1 of ($a*) or 5 of ($b*) or 5 of ($c*) |
| 685 | + | } |
| 686 | + | |
| 687 | + | rule Windows_Trojan_CobaltStrike_92f05172 { |
| 688 | + | meta: |
| 689 | + | author = "Elastic Security" |
| 690 | + | id = "92f05172-f15c-4077-a958-b8490378bf08" |
| 691 | + | fingerprint = "09b1f7087d45fb4247a33ae3112910bf5426ed750e1e8fe7ba24a9047b76cc82" |
| 692 | + | creation_date = "2021-03-23" |
| 693 | + | last_modified = "2021-08-23" |
| 694 | + | description = "Identifies UAC cmstp module from Cobalt Strike" |
| 695 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 696 | + | severity = 100 |
| 697 | + | arch_context = "x86" |
| 698 | + | scan_context = "file, memory" |
| 699 | + | license = "Elastic License v2" |
| 700 | + | os = "windows" |
| 701 | + | strings: |
| 702 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uaccmstp.x64.o" ascii fullword |
| 703 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uaccmstp.x86.o" ascii fullword |
| 704 | + | $b1 = "elevate_cmstp" ascii fullword |
| 705 | + | $b2 = "$pdata$elevate_cmstp" ascii fullword |
| 706 | + | $b3 = "$unwind$elevate_cmstp" ascii fullword |
| 707 | + | $c1 = "_elevate_cmstp" ascii fullword |
| 708 | + | $c2 = "__imp__OLE32$CoGetObject@16" ascii fullword |
| 709 | + | $c3 = "__imp__KERNEL32$GetModuleFileNameA@12" ascii fullword |
| 710 | + | $c4 = "__imp__KERNEL32$GetSystemWindowsDirectoryA@8" ascii fullword |
| 711 | + | $c5 = "OLDNAMES" |
| 712 | + | $c6 = "__imp__BeaconDataParse" ascii fullword |
| 713 | + | $c7 = "_willAutoElevate" ascii fullword |
| 714 | + | condition: |
| 715 | + | 1 of ($a*) or 3 of ($b*) or 4 of ($c*) |
| 716 | + | } |
| 717 | + | |
| 718 | + | rule Windows_Trojan_CobaltStrike_417239b5 { |
| 719 | + | meta: |
| 720 | + | author = "Elastic Security" |
| 721 | + | id = "417239b5-cf2d-4c85-a022-7a8459c26793" |
| 722 | + | fingerprint = "292afee829e838f9623547f94d0561e8a9115ce7f4c40ae96c6493f3cc5ffa9b" |
| 723 | + | creation_date = "2021-03-23" |
| 724 | + | last_modified = "2021-08-23" |
| 725 | + | description = "Identifies UAC token module from Cobalt Strike" |
| 726 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 727 | + | severity = 100 |
| 728 | + | arch_context = "x86" |
| 729 | + | scan_context = "file, memory" |
| 730 | + | license = "Elastic License v2" |
| 731 | + | os = "windows" |
| 732 | + | strings: |
| 733 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken.x64.o" ascii fullword |
| 734 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken.x86.o" ascii fullword |
| 735 | + | $a3 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken2.x64.o" ascii fullword |
| 736 | + | $a4 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken2.x86.o" ascii fullword |
| 737 | + | $b1 = "$pdata$is_admin_already" ascii fullword |
| 738 | + | $b2 = "$unwind$is_admin" ascii fullword |
| 739 | + | $b3 = "$pdata$is_admin" ascii fullword |
| 740 | + | $b4 = "$unwind$is_admin_already" ascii fullword |
| 741 | + | $b5 = "$pdata$RunAsAdmin" ascii fullword |
| 742 | + | $b6 = "$unwind$RunAsAdmin" ascii fullword |
| 743 | + | $b7 = "is_admin_already" ascii fullword |
| 744 | + | $b8 = "is_admin" ascii fullword |
| 745 | + | $b9 = "process_walk" ascii fullword |
| 746 | + | $b10 = "get_current_sess" ascii fullword |
| 747 | + | $b11 = "elevate_try" ascii fullword |
| 748 | + | $b12 = "RunAsAdmin" ascii fullword |
| 749 | + | $b13 = "is_ctfmon" ascii fullword |
| 750 | + | $c1 = "_is_admin_already" ascii fullword |
| 751 | + | $c2 = "_is_admin" ascii fullword |
| 752 | + | $c3 = "_process_walk" ascii fullword |
| 753 | + | $c4 = "_get_current_sess" ascii fullword |
| 754 | + | $c5 = "_elevate_try" ascii fullword |
| 755 | + | $c6 = "_RunAsAdmin" ascii fullword |
| 756 | + | $c7 = "_is_ctfmon" ascii fullword |
| 757 | + | $c8 = "_reg_query_dword" ascii fullword |
| 758 | + | $c9 = ".drectve" ascii fullword |
| 759 | + | $c10 = "_is_candidate" ascii fullword |
| 760 | + | $c11 = "_SpawnAsAdmin" ascii fullword |
| 761 | + | $c12 = "_SpawnAsAdminX64" ascii fullword |
| 762 | + | condition: |
| 763 | + | 1 of ($a*) or 9 of ($b*) or 7 of ($c*) |
| 764 | + | } |
| 765 | + | |
| 766 | + | rule Windows_Trojan_CobaltStrike_29374056 { |
| 767 | + | meta: |
| 768 | + | author = "Elastic Security" |
| 769 | + | id = "29374056-03ce-484b-8b2d-fbf75be86e27" |
| 770 | + | fingerprint = "4cd7552a499687ac0279fb2e25722f979fc5a22afd1ea4abba14a2ef2002dd0f" |
| 771 | + | creation_date = "2021-03-23" |
| 772 | + | last_modified = "2021-08-23" |
| 773 | + | description = "Identifies Cobalt Strike MZ Reflective Loader." |
| 774 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 775 | + | severity = 100 |
| 776 | + | arch_context = "x86" |
| 777 | + | scan_context = "file, memory" |
| 778 | + | license = "Elastic License v2" |
| 779 | + | os = "windows" |
| 780 | + | strings: |
| 781 | + | $a1 = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D ?? FF FF FF 48 81 C3 ?? ?? 00 00 FF D3 } |
| 782 | + | $a2 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 } |
| 783 | + | condition: |
| 784 | + | 1 of ($a*) |
| 785 | + | } |
| 786 | + | |
| 787 | + | rule Windows_Trojan_CobaltStrike_949f10e3 { |
| 788 | + | meta: |
| 789 | + | author = "Elastic Security" |
| 790 | + | id = "949f10e3-68c9-4600-a620-ed3119e09257" |
| 791 | + | fingerprint = "34e04901126a91c866ebf61a61ccbc3ce0477d9614479c42d8ce97a98f2ce2a7" |
| 792 | + | creation_date = "2021-03-25" |
| 793 | + | last_modified = "2021-08-23" |
| 794 | + | description = "Identifies the API address lookup function used by Cobalt Strike along with XOR implementation by Cobalt Strike." |
| 795 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 796 | + | severity = 100 |
| 797 | + | arch_context = "x86" |
| 798 | + | scan_context = "file, memory" |
| 799 | + | license = "Elastic License v2" |
| 800 | + | os = "windows" |
| 801 | + | strings: |
| 802 | + | $a1 = { 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 } |
| 803 | + | $a2 = { 8B 07 01 C3 85 C0 75 E5 58 C3 E8 [2] FF FF 31 39 32 2E 31 36 38 2E ?? 2E } |
| 804 | + | condition: |
| 805 | + | all of them |
| 806 | + | } |
| 807 | + | |
| 808 | + | rule Windows_Trojan_CobaltStrike_8751cdf9 { |
| 809 | + | meta: |
| 810 | + | author = "Elastic Security" |
| 811 | + | id = "8751cdf9-4038-42ba-a6eb-f8ac579a4fbb" |
| 812 | + | fingerprint = "0988386ef4ba54dd90b0cf6d6a600b38db434e00e569d69d081919cdd3ea4d3f" |
| 813 | + | creation_date = "2021-03-25" |
| 814 | + | last_modified = "2021-08-23" |
| 815 | + | description = "Identifies Cobalt Strike wininet reverse shellcode along with XOR implementation by Cobalt Strike." |
| 816 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 817 | + | severity = 99 |
| 818 | + | arch_context = "x86" |
| 819 | + | scan_context = "file, memory" |
| 820 | + | license = "Elastic License v2" |
| 821 | + | os = "windows" |
| 822 | + | strings: |
| 823 | + | $a1 = { 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07 } |
| 824 | + | $a2 = { 8B 07 01 C3 85 C0 75 E5 58 C3 E8 [2] FF FF 31 39 32 2E 31 36 38 2E ?? 2E } |
| 825 | + | condition: |
| 826 | + | all of them |
| 827 | + | } |
| 828 | + | |
| 829 | + | rule Windows_Trojan_CobaltStrike_8519072e { |
| 830 | + | meta: |
| 831 | + | author = "Elastic Security" |
| 832 | + | id = "8519072e-3e43-470b-a3cf-18f92b3f31a2" |
| 833 | + | fingerprint = "9fc88b798083adbcf25f9f0b35fbb5035a98cdfe55377de96fa0353821de1cc8" |
| 834 | + | creation_date = "2021-03-25" |
| 835 | + | last_modified = "2021-10-04" |
| 836 | + | description = "Identifies Cobalt Strike trial/default versions" |
| 837 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 838 | + | severity = 90 |
| 839 | + | arch_context = "x86" |
| 840 | + | scan_context = "file, memory" |
| 841 | + | license = "Elastic License v2" |
| 842 | + | os = "windows" |
| 843 | + | strings: |
| 844 | + | $a1 = "User-Agent:" |
| 845 | + | $a2 = "wini" |
| 846 | + | $a3 = "5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword |
| 847 | + | $a4 = /[^0-9";.\/]([0-9]{1,3}\.){3}[0-9]{1,3}[^0-9";.\/]/ |
| 848 | + | condition: |
| 849 | + | all of them |
| 850 | + | } |
| 851 | + | |
| 852 | + | rule Windows_Trojan_CobaltStrike_663fc95d { |
| 853 | + | meta: |
| 854 | + | author = "Elastic Security" |
| 855 | + | id = "663fc95d-2472-4d52-ad75-c5d86cfc885f" |
| 856 | + | fingerprint = "d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48" |
| 857 | + | creation_date = "2021-04-01" |
| 858 | + | last_modified = "2021-12-17" |
| 859 | + | description = "Identifies CobaltStrike via unidentified function code" |
| 860 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 861 | + | severity = 100 |
| 862 | + | arch_context = "x86" |
| 863 | + | scan_context = "file, memory" |
| 864 | + | license = "Elastic License v2" |
| 865 | + | os = "windows" |
| 866 | + | strings: |
| 867 | + | $a = { 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 } |
| 868 | + | condition: |
| 869 | + | all of them |
| 870 | + | } |
| 871 | + | |
| 872 | + | rule Windows_Trojan_CobaltStrike_b54b94ac { |
| 873 | + | meta: |
| 874 | + | author = "Elastic Security" |
| 875 | + | id = "b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca" |
| 876 | + | fingerprint = "2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8" |
| 877 | + | creation_date = "2021-10-21" |
| 878 | + | last_modified = "2022-01-13" |
| 879 | + | description = "Rule for beacon sleep obfuscation routine" |
| 880 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 881 | + | reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" |
| 882 | + | severity = 100 |
| 883 | + | arch_context = "x86" |
| 884 | + | scan_context = "file, memory" |
| 885 | + | license = "Elastic License v2" |
| 886 | + | os = "windows" |
| 887 | + | strings: |
| 888 | + | $a_x64 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 } |
| 889 | + | $a_x64_smbtcp = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 } |
| 890 | + | $a_x86 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 } |
| 891 | + | $a_x86_2 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 } |
| 892 | + | $a_x86_smbtcp = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB } |
| 893 | + | condition: |
| 894 | + | any of them |
| 895 | + | } |
| 896 | + | |
| 897 | + | rule Windows_Trojan_CobaltStrike_f0b627fc { |
| 898 | + | meta: |
| 899 | + | author = "Elastic Security" |
| 900 | + | id = "f0b627fc-97cd-42cb-9eae-1efb0672762d" |
| 901 | + | fingerprint = "fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1" |
| 902 | + | creation_date = "2021-10-21" |
| 903 | + | last_modified = "2022-01-13" |
| 904 | + | description = "Rule for beacon reflective loader" |
| 905 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 906 | + | reference_sample = "b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b" |
| 907 | + | severity = 100 |
| 908 | + | arch_context = "x86" |
| 909 | + | scan_context = "file, memory" |
| 910 | + | license = "Elastic License v2" |
| 911 | + | os = "windows" |
| 912 | + | strings: |
| 913 | + | $beacon_loader_x64 = { 25 FF FF FF 00 3D 41 41 41 00 75 [5-10] 25 FF FF FF 00 3D 42 42 42 00 75 } |
| 914 | + | $beacon_loader_x86 = { 25 FF FF FF 00 3D 41 41 41 00 75 [4-8] 81 E1 FF FF FF 00 81 F9 42 42 42 00 75 } |
| 915 | + | $beacon_loader_x86_2 = { 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 [4-8] 81 E2 FF FF FF 00 81 FA 42 42 42 00 75 } |
| 916 | + | $generic_loader_x64 = { 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0 } |
| 917 | + | $generic_loader_x86 = { 83 C4 04 89 45 FC 8B 4D 08 0F BE 11 03 55 FC 89 55 FC 8B 45 08 83 C0 01 89 45 08 8B 4D 08 0F BE } |
| 918 | + | condition: |
| 919 | + | any of them |
| 920 | + | } |
| 921 | + | |
| 922 | + | rule Windows_Trojan_CobaltStrike_dcdcdd8c { |
| 923 | + | meta: |
| 924 | + | author = "Elastic Security" |
| 925 | + | id = "dcdcdd8c-7395-4453-a74a-60ab8e251a5a" |
| 926 | + | fingerprint = "8aed1ae470d06a7aac37896df22b2f915c36845099839a85009212d9051f71e9" |
| 927 | + | creation_date = "2021-10-21" |
| 928 | + | last_modified = "2022-01-13" |
| 929 | + | description = "Rule for beacon sleep PDB" |
| 930 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 931 | + | reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" |
| 932 | + | severity = 100 |
| 933 | + | arch_context = "x86" |
| 934 | + | scan_context = "file, memory" |
| 935 | + | license = "Elastic License v2" |
| 936 | + | os = "windows" |
| 937 | + | strings: |
| 938 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask.x64.o" ascii fullword |
| 939 | + | $a2 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask.x86.o" ascii fullword |
| 940 | + | $a3 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_smb.x64.o" ascii fullword |
| 941 | + | $a4 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_smb.x86.o" ascii fullword |
| 942 | + | $a5 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_tcp.x64.o" ascii fullword |
| 943 | + | $a6 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_tcp.x86.o" ascii fullword |
| 944 | + | condition: |
| 945 | + | any of them |
| 946 | + | } |
| 947 | + | |
| 948 | + | rule Windows_Trojan_CobaltStrike_a3fb2616 { |
| 949 | + | meta: |
| 950 | + | author = "Elastic Security" |
| 951 | + | id = "a3fb2616-b03d-4399-9342-0fc684fb472e" |
| 952 | + | fingerprint = "c15cf6aa7719dac6ed21c10117f28eb4ec56335f80a811b11ab2901ad36f8cf0" |
| 953 | + | creation_date = "2021-10-21" |
| 954 | + | last_modified = "2022-01-13" |
| 955 | + | description = "Rule for browser pivot " |
| 956 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 957 | + | reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" |
| 958 | + | severity = 100 |
| 959 | + | arch_context = "x86" |
| 960 | + | scan_context = "file, memory" |
| 961 | + | license = "Elastic License v2" |
| 962 | + | os = "windows" |
| 963 | + | strings: |
| 964 | + | $a1 = "browserpivot.dll" ascii fullword |
| 965 | + | $a2 = "browserpivot.x64.dll" ascii fullword |
| 966 | + | $b1 = "$$$THREAD.C$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" ascii fullword |
| 967 | + | $b2 = "COBALTSTRIKE" ascii fullword |
| 968 | + | condition: |
| 969 | + | 1 of ($a*) and 2 of ($b*) |
| 970 | + | } |
| 971 | + | |
| 972 | + | rule Windows_Trojan_CobaltStrike_8ee55ee5 { |
| 973 | + | meta: |
| 974 | + | author = "Elastic Security" |
| 975 | + | id = "8ee55ee5-67f1-4f94-ab93-62bb5cfbeee9" |
| 976 | + | fingerprint = "7e7ed4f00d0914ce0b9f77b6362742a9c8b93a16a6b2a62b70f0f7e15ba3a72b" |
| 977 | + | creation_date = "2021-10-21" |
| 978 | + | last_modified = "2022-01-13" |
| 979 | + | description = "Rule for wmi exec module" |
| 980 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 981 | + | reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" |
| 982 | + | severity = 100 |
| 983 | + | arch_context = "x86" |
| 984 | + | scan_context = "file, memory" |
| 985 | + | license = "Elastic License v2" |
| 986 | + | os = "windows" |
| 987 | + | strings: |
| 988 | + | $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\wmiexec.x64.o" ascii fullword |
| 989 | + | $a2 = "z:\\devcenter\\aggressor\\external\\pxlib\\bin\\wmiexec.x86.o" ascii fullword |
| 990 | + | condition: |
| 991 | + | 1 of ($a*) |
| 992 | + | } |
| 993 | + | |
| 994 | + | rule Windows_Trojan_CobaltStrike_8d5963a2 { |
| 995 | + | meta: |
| 996 | + | author = "Elastic Security" |
| 997 | + | id = "8d5963a2-54a9-4705-9f34-0d5f8e6345a2" |
| 998 | + | fingerprint = "228cd65380cf4b04f9fd78e8c30c3352f649ce726202e2dac9f1a96211925e1c" |
| 999 | + | creation_date = "2022-08-10" |
| 1000 | + | last_modified = "2022-09-29" |
| 1001 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 1002 | + | reference_sample = "9fe43996a5c4e99aff6e2a1be743fedec35e96d1e6670579beb4f7e7ad591af9" |
| 1003 | + | severity = 100 |
| 1004 | + | arch_context = "x86" |
| 1005 | + | scan_context = "file, memory" |
| 1006 | + | license = "Elastic License v2" |
| 1007 | + | os = "windows" |
| 1008 | + | strings: |
| 1009 | + | $a = { 40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D 6C 24 D8 48 81 EC 28 01 00 00 45 33 F6 48 8B D9 48 } |
| 1010 | + | condition: |
| 1011 | + | all of them |
| 1012 | + | } |
| 1013 | + | |
| 1014 | + | rule Windows_Trojan_CobaltStrike_1787eef5 { |
| 1015 | + | meta: |
| 1016 | + | author = "Elastic Security" |
| 1017 | + | id = "1787eef5-ff00-4e19-bd22-c5dfc9488c7b" |
| 1018 | + | fingerprint = "292f15bdc978fc29670126f1bdc72ade1e7faaf1948653f70b6789a82dbee67f" |
| 1019 | + | creation_date = "2022-08-29" |
| 1020 | + | last_modified = "2022-09-29" |
| 1021 | + | description = "CS shellcode variants" |
| 1022 | + | threat_name = "Windows.Trojan.CobaltStrike" |
| 1023 | + | reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" |
| 1024 | + | severity = 100 |
| 1025 | + | arch_context = "x86" |
| 1026 | + | scan_context = "file, memory" |
| 1027 | + | license = "Elastic License v2" |
| 1028 | + | os = "windows" |
| 1029 | + | strings: |
| 1030 | + | $a1 = { 55 89 E5 83 EC ?? A1 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 31 C0 C9 C3 55 } |
| 1031 | + | $a2 = { 55 89 E5 83 EC ?? A1 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 31 C0 C9 C3 55 89 E5 83 EC ?? 83 7D ?? ?? } |
| 1032 | + | $a3 = { 55 89 E5 8B 45 ?? 5D FF E0 55 8B 15 ?? ?? ?? ?? 89 E5 8B 45 ?? 85 D2 7E ?? 83 3D ?? ?? ?? ?? ?? } |
| 1033 | + | $a4 = { 55 89 E5 8B 45 ?? 5D FF E0 55 89 E5 83 EC ?? 8B 15 ?? ?? ?? ?? 8B 45 ?? 85 D2 7E ?? 83 3D ?? ?? ?? ?? ?? } |
| 1034 | + | $a5 = { 4D 5A 41 52 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 8D 1D ?? ?? ?? ?? 48 89 DF 48 81 C3 ?? ?? ?? ?? } |
| 1035 | + | condition: |
| 1036 | + | 1 of ($a*) |
| 1037 | + | } |
| 1038 | + | |
| 1039 | + | |