From ba85eb446cc6124acf3771f73fa43efb1a1ef2da Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 14 Jun 2023 19:47:12 +0530 Subject: [PATCH] OrcusRAT - Detect --- ssl/c2/orcus-rat-c2.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 ssl/c2/orcus-rat-c2.yaml diff --git a/ssl/c2/orcus-rat-c2.yaml b/ssl/c2/orcus-rat-c2.yaml new file mode 100644 index 0000000000..816781eeca --- /dev/null +++ b/ssl/c2/orcus-rat-c2.yaml @@ -0,0 +1,30 @@ +id: orcus-rat-c2 + +info: + name: OrcusRAT - Detect + author: pussycat0x + severity: info + description: | + Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks. + reference: | + https://github.com/thehappydinoa/awesome-censys-queries#orcusrat-- + metadata: + verified: "true" + censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}' + tags: c2,ir,osint,orcus,ssl + +ssl: + - address: "{{Host}}:{{Port}}" + + matchers: + - type: word + part: issuer_cn + words: + - "Orcus Server" + - "OrcusServerCertificate" + condition: or + + extractors: + - type: json + json: + - ".issuer_cn"