27 lines
885 B
YAML
27 lines
885 B
YAML
id: cobalt-strike-c2
|
|
|
|
info:
|
|
name: Cobalt Strike C2 - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.
|
|
reference:
|
|
- https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
shodan-query: ssl.cert.serial:146473198
|
|
tags: c2,ssl,tls,ir,osint,malware,panel,cobalt-strike
|
|
ssl:
|
|
- address: "{{Host}}:{{Port}}"
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(serial,"08:BB:00:EE")'
|
|
|
|
extractors:
|
|
- type: json
|
|
json:
|
|
- ".serial"
|
|
# digest: 490a0046304402200fd327e9fb1b939be18d97fea73e8bd095ac57861ac0bc2dcb656787a5bec893022078bc79bf76b744266065b178c7a2ec83187179a45eff17225e15b9eada4d2c45:922c64590222798bb761d5b6d8e72950 |