From 9b599185abbdb3d7ea6f5e735622c059909207bb Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Thu, 5 Dec 2024 13:21:57 +0000
Subject: [PATCH] Tighten CobaltStrikeBeacon yara signature to reduce false
 positives in #2416

---
 data/yara/CAPE/CobaltStrikeBeacon.yar | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/CobaltStrikeBeacon.yar b/data/yara/CAPE/CobaltStrikeBeacon.yar
index aaf01584892..3ac4c75cc6d 100644
--- a/data/yara/CAPE/CobaltStrikeBeacon.yar
+++ b/data/yara/CAPE/CobaltStrikeBeacon.yar
@@ -17,9 +17,9 @@ rule CobaltStrikeBeacon
         $pwsh1 = "IEX (New-Object Net.Webclient).DownloadString('http" ascii
         $pwsh2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
         $ver3a = {69 68 69 68 69 6b ?? ?? 69}
-        $ver3b = {69 69 69 69}
+        $ver3b = {69 69 69 69 69 69 69 69 69 69 69 69 69 69 69 69}
         $ver4a = {2e 2f 2e 2f 2e 2c ?? ?? 2e}
-        $ver4b = {2e 2e 2e 2e}
+        $ver4b = {2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e}
         $a1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x00-0xff)
         $a2 = "Started service %s on %s" xor(0x00-0xff)
         $a3 = "%s as %s\\%s: %d" xor(0x00-0xff)