cs_yara icon indicating copy to clipboard operation
cs_yara copied to clipboard

Published 20 hours ago verified publisher icon jas502n

Metadata

check cs yara rules

cs_yara

Check Cobalt Strike Yara Rules

参考链接

https://github.com/CCob/BeaconEye

BeaconEye Bug Fix: https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-gong-ji-fang-yu/untitled-1

rule from https://raw.githubusercontent.com/CCob/BeaconEye/master/BeaconEye.cs

beaconEye.yar

rule CobaltStrike { 
  strings:  
    $cobaltStrikeRule64 = {  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 (00|01|02|04|08|10) 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00  02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00  02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00  01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 } 
    $cobaltStrikeRule32 = {  00 00 00 00 00 00 00 00  01 00 00 00 (00|01|02|04|08|10) 00 00 00 01 00 00 00 ?? ?? 00 00  02 00 00 00 ?? ?? ?? ??  02 00 00 00 ?? ?? ?? ??  01 00 00 00 ?? ?? 00 00 }
  condition: any of them
}

yara download

https://virustotal.github.io/yara/

https://github.com/virustotal/yara/releases/latest

cs beacon

powershell check

powershell -command "Get-Process | ForEach-Object {./yara64.exe beaconEye.yar $_.ID -s}"

Metadata

43
Stars
9
Forks
Watchers

Owner

verified publisher icon jas502n

Metadata

check cs yara rules

Back