nuclei-templates/ssl/c2/cobalt-strike-c2.yaml

id: cobalt-strike-c2

info:
  name: Cobalt Strike C2 - Detect
  author: pussycat0x
  severity: info
  description: |
    Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network.    
  reference:
    - https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/
  metadata:
    verified: "true"
    max-request: 1
    shodan-query: ssl.cert.serial:146473198
  tags: c2,ir,osint,malware,ssl,panel,cobalt-strike
ssl:
  - address: "{{Host}}:{{Port}}"
    matchers:
      - type: dsl
        dsl:
          - 'contains(serial,"08:BB:00:EE")'

    extractors:
      - type: json
        json:
          - ".serial"
# digest: 4a0a0047304502205ba910ef7a6c4ad9a4b4cde9bedc47cb51b5a5ede0b437a5cfe1dbb0671b9c330221008d1ab0226dd233212d2e0c55500006cb891193d96ef6539baa3c40046a2e3233:922c64590222798bb761d5b6d8e72950