25 lines
1009 B
YAML
25 lines
1009 B
YAML
id: sliver-c2-jarm
|
|
|
|
info:
|
|
name: Sliver C2 JARM - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver's implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS and are dynamically compiled with per-binary asymmetric encryption keys.
|
|
reference:
|
|
- https://github.com/cedowens/C2-JARM
|
|
- https://github.com/BishopFox/sliver
|
|
metadata:
|
|
max-request: 1
|
|
tags: jarm,c2,ir,osint,cti,sliver
|
|
tcp:
|
|
- inputs:
|
|
- data: 2E
|
|
type: hex
|
|
host:
|
|
- "{{Hostname}}"
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "jarm(Hostname) == '2ad2ad0002ad2ad00041d2ad2ad41da5207249a18099be84ef3c8811adc883'"
|
|
# digest: 4a0a00473045022100dfd1be5aa8579a9c1ec5ca3c89e3828425fdace6e52a294b55fc8a9adb74d3a40220393091982c44e799e6e5b3943173937c44a4d8243011cac4ec194a18d2cfd03e:922c64590222798bb761d5b6d8e72950 |