Security News > 2022 > November > Google releases 165 YARA rules to detect Cobalt Strike attacks
The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise to help defenders detect Cobalt Strike components in their networks.
"We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike's components and its respective versions," said Google Cloud Threat Intelligence security engineer Greg Sinclair.
This enables improved detection of malicious activity by targeting non-current Cobalt Strike releases since it helps differentiate easier between legitimate deployments and those controlled by threat actors.
As Google explained, cracked and leaked releases of Cobalt Strike are, in most cases, at least one version behind, which allowed the company to collect hundreds of stagers, templates, and beacon samples used in the wild to build YARA-based detection rules with a high degree of accuracy.
"Our goal was to make high-fidelity detections to enable pinpointing the exact version of particular Cobalt Strike components. Whenever possible, we built signatures to detect specific versions of the Cobalt Strike component," Sinclair added.
Google has also shared a collection of detection signatures for Sliver, a legitimate and open-source adversary emulation framework designed for security testing that has also been adopted by malicious actors as a Cobalt Strike alternative.