Cobalt Strike C2 - Detect
parent
eaeb1621ec
commit
9d007cf7fb
|
@ -0,0 +1,26 @@
|
|||
id: cobalt-strike-c2
|
||||
|
||||
info:
|
||||
name: Cobalt Strike C2 - Detect
|
||||
author: pussycat0x
|
||||
severity: info
|
||||
description: |
|
||||
Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
|
||||
reference:
|
||||
- https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
|
||||
metadata:
|
||||
shodan-query: ssl.cert.serial:146473198
|
||||
tags: ssl,c2,ir,blue-team
|
||||
|
||||
ssl:
|
||||
- address: "{{Host}}:{{Port}}"
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'contains(serial,"08:BB:00:EE")'
|
||||
|
||||
extractors:
|
||||
- type: json
|
||||
json:
|
||||
- ".serial"
|
Loading…
Reference in New Issue