YARA rules for detecting Cobalt Strike beacons – sharing my collection

I’ve been maintaining a set of YARA rules for detecting Cobalt Strike beacons in memory and on disk. Sharing them here for the community. These cover versions 4.0 through 4.9 including some of the cracked variants.

rule CobaltStrike_Beacon_Encoded {
    meta:
        description = "Detects Cobalt Strike beacon encoded payloads"
        author = "sarah_cipher"
        date = "2025-01"
    strings:
        $header = { FC E8 89 00 00 00 60 89 E5 }
        $config = { 69 68 69 68 69 6B }
        $sleep_mask = { 4C 8B 53 08 45 8B 0A }
    condition:
        any of them
}

This is incredible work, Sarah. I’ve been using a similar ruleset and can confirm these detect the latest 4.9 variants. One addition I’d suggest:

$watermark = { 01 00 00 00 ?? ?? ?? ?? 00 00 00 00 }

This catches the license watermark that’s present in cracked versions. The watermark value can help attribute which cracked copy is being used.

Thanks for sharing! I’ve integrated these into our CrowdStrike custom IOAs and they’re already catching things our default rules missed. Would you consider publishing these on GitHub so the community can contribute?