From 886e444e3d46964eb151a026cd5bafd8fb0b352a Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Wed, 14 Jun 2023 20:01:09 +0530
Subject: [PATCH] minor -update

---
 ssl/c2/quasar-rat-c2.yaml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml
index ee6e523208..be1e836a1e 100644
--- a/ssl/c2/quasar-rat-c2.yaml
+++ b/ssl/c2/quasar-rat-c2.yaml
@@ -2,7 +2,7 @@ id: quasar-rat-c2
 
 info:
   name: Detect SSL Certificate Quasar RAT C2
-  author: johnk3r
+  author: johnk3r,pussycat0x
   severity: info
   description: |
     Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
@@ -12,7 +12,8 @@ info:
     max-request: 1
     verified: "true"
     shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
-  tags: c2,ir,osint,malware
+    censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server","OrcusServerCertificate"}'
+  tags: c2,ir,osint,malware,quasar,rat
 
 ssl:
   - address: "{{Host}}:{{Port}}"
@@ -22,6 +23,8 @@ ssl:
         part: issuer_cn
         words:
           - "Quasar Server CA"
+          - "OrcusServerCertificate"
+        condition: or  
 
     extractors:
       - type: json