18 lines
1.0 KiB
Plaintext
18 lines
1.0 KiB
Plaintext
|
|
rule HackTool_Win32_CobaltStrike_A{
|
|
meta:
|
|
description = "HackTool:Win32/CobaltStrike.A,SIGNATURE_TYPE_PEHSTR_EXT,1f 00 1f 00 08 00 00 01 00 "
|
|
|
|
strings :
|
|
$a_03_0 = {00 01 00 01 00 02 90 01 02 00 02 00 01 00 02 90 00 } //01 00
|
|
$a_03_1 = {69 68 69 68 69 6b 90 01 02 69 6b 69 68 69 6b 90 00 } //01 00
|
|
$a_03_2 = {2e 2f 2e 2f 2e 2c 90 01 02 2e 2c 2e 2f 2e 2c 90 00 } //01 00
|
|
$a_03_3 = {4e 4f 4e 4f 4e 4c 90 01 02 4e 4c 4e 4f 4e 4c 90 00 } //01 00
|
|
$a_03_4 = {75 da c9 c3 8b 0d 90 01 04 8b 04 d1 8b 54 d1 04 c3 90 00 } //0a 00
|
|
$a_03_5 = {33 c9 41 51 6a 02 58 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 8b 55 90 01 01 51 50 ff 32 51 50 ff 33 51 50 ff 75 90 01 01 51 50 68 a2 90 00 } //0a 00
|
|
$a_03_6 = {40 3d 00 10 00 00 7c f1 90 09 07 00 80 90 01 05 90 17 03 01 01 01 2e 69 4e 40 90 00 } //0a 00
|
|
$a_03_7 = {68 00 00 10 00 90 02 3c 50 68 7f 66 04 40 ff 76 1c 90 02 08 81 7d fc fc ff 0f 00 90 00 } //00 00
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |