Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family CobaltStrike
This is a concrete detection of a Win64 CobaltStrike Trojan, a sophisticated post-exploitation framework commonly used by threat actors for command and control and lateral movement. The threat leverages advanced techniques including persistence via Run keys and BITS jobs, abuse of Windows Living Off The Land Binaries (mshta, rundll32), system hooking, and obfuscation, indicating a high-confidence compromise by a malicious actor.
Relevant strings associated with this threat: - ;t$ r (PEHSTR_EXT) - Test.dll (PEHSTR_EXT) - \.\PhysicalDrive0 (PEHSTR_EXT) - C:\Users\Public (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT) - NewWYDll\NewWYDll\Release\NewWYDll.pdb (PEHSTR_EXT) - %s\updater.exe (PEHSTR_EXT) - %s\libcurl.dll (PEHSTR_EXT) - t$0 (PEHSTR_EXT) - TzM (PEHSTR_EXT) - t$hL (PEHSTR_EXT) - |#TEL (NID) - }#TEL (NID) - gq|#TEL (NID) - gq}#TEL (NID) - !#HSTR:IntentBase64 (PEHSTR_EXT) - ToBase64String (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - mshta (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - WH_CBT (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - bitsadmin (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
rule Trojan_Win64_CobaltStrike_T_2147904324_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:Win64/CobaltStrike.T!MTB"
threat_id = "2147904324"
type = "Trojan"
platform = "Win64: Windows 64-bit platform"
family = "CobaltStrike"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_2_1 = {8b 03 03 45 ?? ff 73 fc 50 8b 43 ?? 03 45 fc 50 ff 95 ?? ?? ?? ?? 0f b7 46 ?? 83 c4 ?? ff 45 e4 83 c3 ?? 39 45 e4} //weight: 2, accuracy: Low
$x_2_2 = {8b 45 f4 8a 00 88 45 ff 8a 01 0f be 7d ff 88 45 ?? 0f be c0 2b f8 ff 45 f4 80 7d ff} //weight: 2, accuracy: Low
condition:
(filesize < 20MB) and
(1 of ($x*))
}f2b41e3f4d71315710a8a9f94b9f1f56be0e6d48634d27efe5045a4276e8cc34Immediately isolate the infected system to prevent further spread. Conduct a thorough forensic investigation to identify the initial compromise vector, lateral movement, and any deployed payloads. Remove all identified malicious files and persistence mechanisms. Implement endpoint detection and response (EDR) solutions for continuous monitoring and threat hunting, and consider a full system rebuild if the extent of compromise is unclear.