Thursday, November 17, 2022

Stopping Cobalt Strike with YARA

 VirusTotal was born with the idea of community in mind - an ecosystem where everybody contributes and benefits. This helped grow our product around the concept of crowdsourced intelligence, where all the security community could contribute in different ways to provide more actionable tools for our users, including researchers and analysts, for detection and threat hunting.

Sometimes we have beautiful success stories on how VirusTotal’s users give back to the community what they get from the platform. In this case, our colleagues from Uppercase created a precise set of YARA rules to detect Cobalt Strike components. You can read more about it here.

Unfortunately, Cobalt Strike has become one of the main components in any attacker’s toolset. Albeit a legitimate tool for pentesting, different versions in the last years have been leaked and abused in many different ways. The first step to create a robust set of YARA rules is to have a consistent set of samples, in this case including all the different Cobalt Strike versions we want to be able to detect. VirusTotal was the platform of choice to gather all the samples needed, and thanks to our new Collections, these samples can easily be grouped in a single set - actually, you can find this Cobalt Strike collection here.

Once all the samples are available for the researcher, there is not a single way to create the YARA rules. A first approach could be checking Commonalities among the samples, in case we find any interesting characteristic or metadata among all the samples that we could use for our rule. Below you can see an example of finding commonalities in a collection of suspicious documents with more than 2000 samples:

Another possibility would be using VTDiff to find what particular bytes these samples have in common, and at the same time, have low prevalence in VirusTotal’s collection in order to qualify them as significant for creating a YARA. Independently of using VTDiff, checking the prevalence for any byte sequence or string in VirusTotal’s collection with a quick search is always a great idea to understand how useful they would be in your rule. Remember you can combine different byte sequences (using the “content” modifier) in your VTIntelligence search. If your rule is purely based on strings and byte sequences, you can mostly test its effectiveness with a few searches in VirusTotal.

There is a more technical approach consisting of reversing the samples and finding something interesting and unique for the detection, which is what was used in this case. But how to know if your rules are good enough? Usually this is an iterative process where we want the first versions of the rules to be a bit loose so we can find more suspicious samples. This is a way for us to understand if a rule can be used for hunting. Once we are satisfied with the results (we are finding all the Cobalt Strike samples we wanted), we want to make sure we don’t detect anything else (avoid false positives), especially when it comes to legitimate software.

For the process described above, usually you want to use RetroHunts, as they will check your rules against the whole VirusTotal collection. When launching your RetroHunt, you can specify the collection of samples you want your rules to be checked against, there is one collection of goodware we can use to make sure our rules don’t detect any of these samples by mistake.

There are different ways you can check if the results obtained from your rules are True Positives, usually in VirusTotal you will find plenty of data points you can use to double check, including verdicts, other crowdsourced rules, community comments, presence in other collections, signatures, etc. Unfortunately, sometimes the results from your rules (or VT Intelligence searches) can be huge, in that case we really encourage creating a collection with them and use the Commonalities feature to get a better understanding of how your rule did and discriminate among your results. 

Once we are satisfied with the results, we suggest deploying your rules in LiveHunt for some time, which basically will execute your rule against anything uploaded to VirusTotal from the moment you deploy it. This way you can monitor its effectiveness and do some final polishing if needed. 

And voila! Your rules are ready to be deployed. In this case, the rules can be found here, and now they are part of our set of crowdsourced YARA rules, so everyone in the VirusTotal’s community will collectively benefit from this effort.

We really appreciate the effort and generosity of our colleagues from Uppercase, and we hope these ideas will help everyone understand a bit more about the creation and deployment of YARA rules. As usual, we are happy to hear from you.

Happy hunting!


Post a Comment