rule Leviathan_CobaltStrike_Sample_1 {
	meta:
		description = "Detects Cobalt Strike sample from Leviathan report"
		license = "https://creativecommons.org/licenses/by-nc/4.0/"
		author = "Florian Roth"
	strings:
		$x1 = "a54c81.dll" ascii fullword
		$x2 = "%d is an x64 process (can't inject x86 content)" ascii fullword
		$x3 = "Failed to impersonate logged on user %d (%u)" ascii fullword
		$s1 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
		$s2 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
		$s3 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
		$s4 = "could not write to process memory: %d" ascii fullword
		$s5 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x% 
08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
		$s6 = "Could not connect to pipe (%s): %d" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 600KB and (1 of ($x*) or 3 of them)
}