Skip to content

Commit

Permalink
Tighten CobaltStrikeBeacon yara signature to reduce false positives in
Browse files Browse the repository at this point in the history 
…#2416
  • Loading branch information
@kevoreilly
kevoreilly committed Dec 5, 2024
1 parent b455a54 commit 9b59918
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions data/yara/CAPE/CobaltStrikeBeacon.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ rule CobaltStrikeBeacon
$pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
$pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
$ver3a = {69 68 69 68 69 6b ?? ?? 69}
$ver3b = {69 69 69 69}
$ver3b = {69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69}
$ver4a = {2e 2f 2e 2f 2e 2c ?? ?? 2e}
$ver4b = {2e 2e 2e 2e}
$ver4b = {2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e}
$a1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x00-0xff)
$a2 = "Started service %s on %s" xor(0x00-0xff)
$a3 = "%s as %s\\%s: %d" xor(0x00-0xff)
Expand Down

0 comments on commit 9b59918

Please sign in to comment.