Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Hunt Hypothesis

Adversaries may use CobaltStrike to establish command and control, leveraging its persistence and exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT activity and mitigate lateral movement risks.

YARA Rule

rule Cobalt_functions
{

    meta:

        author="@j0sm1"
        url="https://www.securityartwork.es/2017/06/16/analisis-del-powershell-usado-fin7/"
        description="Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT"

    strings:

        $h1={58 A4 53 E5} // VirtualAllocEx
        $h2={4C 77 26 07} // LoadLibraryEx
        $h3={6A C9 9C C9} // DNSQuery_UTF8
        $h4={44 F0 35 E0} // Sleep
        $h5={F4 00 8E CC} // lstrlen

    condition:
        2 of ( $h* )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses the ROR edi,D instruction as part of a data processing operation.
  Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "services.exe"

• Scenario: Admin Debugging with WinDbg
  Description: A system administrator uses WinDbg to debug a kernel-mode driver, which may involve the ROR edi,D instruction during analysis.
  Filter/Exclusion: process.name != "windbg.exe" or process.parent.name != "explorer.exe"

• Scenario: CobaltStrike Beacon Communication
  Description: A legitimate CobaltStrike beacon is used by a red team for internal network testing, which may trigger the rule due to its network behavior.
  Filter/Exclusion: process.name != "cobaltstrike.exe" or process.parent.name != "cmd.exe"

• Scenario: PowerShell Script with Bitwise Operations
  Description: A PowerShell script uses bitwise rotation operations (e.g., ROR edi,D) as part of a cryptographic or data manipulation task.
  Filter/Exclusion: process.name != "powershell.exe" or script.hash != "known_legit_script_hash"

• Scenario: Antivirus Heuristic Scanning
  Description: An antivirus tool performs heuristic analysis and generates false positives due to the presence of the ROR edi,D instruction in benign code.
  Filter/Exclusion: process.name != "avscan.exe" or process.parent.name != "svchost.exe"