Cobalt Strike C2 - Detect

2023-03-19 00:55:58 +05:30 · 2023-03-19 00:55:58 +05:30 · 9d007cf7fb
parent eaeb1621ec
commit 9d007cf7fb
1 changed files with 26 additions and 0 deletions
--- a/exposed-panels/c2/cobalt-strike-c2.yaml
+++ b/exposed-panels/c2/cobalt-strike-c2.yaml
@ -0,0 +1,26 @@
+id: cobalt-strike-c2
+
+info:
+  name: Cobalt Strike C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+     Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
+  reference:
+    - https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
+  metadata:
+    shodan-query: ssl.cert.serial:146473198
+  tags: ssl,c2,ir,blue-team
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(serial,"08:BB:00:EE")'
+
+    extractors:
+      - type: json
+        json:
+          - ".serial"