From d63b7bd48474880b33fc0ca720b977b66a21eee4 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Wed, 14 Jun 2023 19:51:21 +0530
Subject: [PATCH] Bitrat C2 - Detect

---
 ssl/c2/bitrat-c2.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 ssl/c2/bitrat-c2.yaml

diff --git a/ssl/c2/bitrat-c2.yaml b/ssl/c2/bitrat-c2.yaml
new file mode 100644
index 0000000000..55bdc5f823
--- /dev/null
+++ b/ssl/c2/bitrat-c2.yaml
@@ -0,0 +1,28 @@
+id: bitrat-c2
+
+info:
+  name: Bitrat C2 - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    BitRAT is a fairly recent, notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums since Feb 2021. The RAT is particularly well known for its social media presence and functionality such as: Data exfiltration. Execution of payloads with bypasses.
+  reference: |
+    https://github.com/thehappydinoa/awesome-censys-queries#bitrat--
+  metadata:
+    verified: "true"
+    censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "BitRAT"'
+  tags: c2,ir,osint,bitrat,ssl
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: word
+        part: issuer_cn
+        words:
+          - "BitRAT"
+
+    extractors:
+      - type: json
+        json:
+          - ".issuer_cn"