Google publishes Yara rules for Cobalt Strike

Google’s Cloud Threat Intelligence (GCTI) team has published Yara rules to detect Cobalt Strike components.

Google’s Cloud Threat Intelligence (GCTI) team has published Yara rules to detect Cobalt Strike components.

While some of our readers may get all the information they need by simply following that above link and downloading the signature set, we also understand that information and explanations help everyone, even the experts. 

Cobalt Strike

Cobalt Strike is a collection of threat emulation tools provided by Fortra to work in conjunction with the Metasploit Framework. Metasploit—probably the best known project for penetration testing—is an exploit framework, designed to make it easy for someone to launch an exploit against a particular vulnerable target. Metasploit is notorious for being abused, yet modules are still being developed for it so that it continues to evolve. Cobalt Strike is in the same basket. Cobalt Strike offers a post-exploitation agent and covert channels, intended to emulate a quiet, long-term embedded actor in the target’s network.

New Cobalt Strike licenses cost $3,500 per user for a one-year license. License renewals cost $2,585 per user, per year. But why would a cybercriminal worry about such costs? Criminals who use these tools do not buy them from the vendors anyway. In many cases, leaked and older versions of Cobalt Strike are being used and in some cases, sophisticated threat actors, like the group behind Trickbot, are building their own versions of Cobalt Strike, modified for their special needs and purposes.

Yara rules

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of VirusTotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

A typical Yara rule may look like this:

rule CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_49_to_v3_14

{

     meta:             

           desc=”Cobalt Strike’s resources/artifact32{.exe,.dll,big.exe,big.dll} and resources/dropper.exe   signature for versions 1.49 to 3.14″

         rs1 = “40fc605a8b95bbd79a3bd7d9af73fbeebe3fada577c99e7a111f6168f6a0d37a”

        author = gssincla@google.com

     strings:           

          // Decoder function for the embedded payload

          $payloadDecoder = { 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 18 8B [2] 89 ?? C1 ?? 1F C1 ?? 1E 01 ?? 83 ?? 03 29 ?? 03 [2] 0F B6 00 31 ?? 88 ?? 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 12 }

     condition:

           any of them

     }

Where metadata are added to help identify the files that were picked up by a certain rule. The metadata identifiers are always followed by an equal sign and the set value.

The strings sections is where you can define the strings that will be looked for in the file. This is what the rules will actually look for.

The condition section specifies when the rule result is true for the object (file) that is under investigation.

Sliver

When you visit the GCTI Github you may notice a separate set of Yara rules for Sliver. Sliver is a Go-based security testing tool developed by researchers at BishopFox cybersecurity company. Due to stronger defenses against Cobalt Strike, red teamers and threat actors have looked for and found alternatives for Cobalt Strike, like the Sliver command-and-control (C2) framework. The Sliver C2 network supports multiple protocols and accepts implants/operator connections. Sliver is marketed as “designed to be an open source alternative to Cobalt Strike. Sliver supports asymmetrically encrypted C2 over DNS, HTTP, HTTPS, and Mutual TLS using per-binary X.509 certificates signed by a per-instance certificate authority and supports multiplayer mode for collaboration.”

Detection

The goal of these rules is to bring down the malicious use of Cobalt Strike. GCTI decided that detecting the exact version of Cobalt Strike was an important component to determining the legitimacy of its use. It aims to establish a difference between the use by non-malicious actors and some versions which are known to be used by threat actors. Leaked and hacked versions are often one version behind the most current one, so that is an important factor.

Also, each version of Cobalt Strike contains several attack template binaries that the YARA rules look for to determine whether the software is being used maliciously.

Malwarebytes detects all variants of Cobalt Strike as Trojan.CobaltStrike. For those that wish to keep it, they can create an exclusion.