30 lines
857 B
YAML
30 lines
857 B
YAML
id: bitrat-c2
|
|
|
|
info:
|
|
name: Bitrat C2 - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
BitRAT is a fairly recent, notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums since Feb 2021. The RAT is particularly well known for its social media presence and functionality such as: Data exfiltration. Execution of payloads with bypasses.
|
|
reference: |
|
|
https://github.com/thehappydinoa/awesome-censys-queries#bitrat--
|
|
metadata:
|
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "BitRAT"'
|
|
max-request: 1
|
|
verified: "true"
|
|
tags: c2,ir,osint,bitrat,ssl
|
|
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: issuer_cn
|
|
words:
|
|
- "BitRAT"
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- ".issuer_cn"
|