Created
February 5, 2022 15:38
-
-
Save yt0ng/2fb4832f97a5d90687d07d2886b595c3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Must have console module via yara-4.2.0-rc1+ | |
| // expects decoded beacons | |
| import "pe" | |
| import "console" | |
| rule CobaltStrike_Watermark_Profiler: Profiler | |
| { | |
| meta: | |
| description = "Profiles Cobaltstrike Watermarks using Yara Console Module" | |
| author = "Markus Neis" | |
| date = "2022-05-02" | |
| strings: | |
| $watermark = {00 25 00 02 00 04 ?? ?? ?? ??} // TLV for watermark | |
| condition: | |
| filesize < 5MB and | |
| console.log("Watermark: ", uint32be(@watermark+6)) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment