Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family CobaltStrike
This detection identifies Trojan:Win64/CobaltStrike.GZQ, a concrete instance of the highly sophisticated CobaltStrike post-exploitation framework, confirmed with machine learning behavioral analysis. CobaltStrike is frequently abused by threat actors for establishing command and control, lateral movement, and data exfiltration within compromised networks, posing a significant threat.
No specific strings found for this threat
rule Trojan_Win64_CobaltStrike_GZQ_2147946290_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/CobaltStrike.GZQ!MTB"
threat_id = "2147946290"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "CobaltStrike"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "10"
strings_accuracy = "Low"
strings:
$x_10_1 = {44 88 3c 30 48 ff c6 48 89 b5 ?? ?? ?? ?? 48 81 fe ?? ?? ?? ?? ?? ?? 89 f0 83 e0 0f 46 0f b6 3c 36 44 32 bc 05 ?? ?? ?? ?? 48 3b b5} //weight: 10, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901Immediately isolate the affected system to contain the threat and prevent further compromise. Conduct a comprehensive incident response investigation to determine the initial access vector, the extent of the breach, and any persistent mechanisms. Perform full system remediation, including malware removal and patching, and reset any potentially compromised credentials.