[Emerging-Sigs] CobaltStrike extra space sigs

Travis Green travis.green at protectwise.com
Wed Feb 12 07:29:17 HST 2020


Hey team,
Was chatting with friends when the subject of extra space in Cobalt
Strike HTTP listener (credit to FoxIt) came up. I had crafted some
sigs a while back as part of the TGI HUNT rules
(github.com/travisbgreen/hunting-rules) and thought I would share
them:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TGI HUNT Entrust
Entelligence Security Provider (Flowbits Set)";
flow:established,to_server; content:"Entrust Entelligence Security
Provider"; http_user_agent; flowbits:set,hunt.entrust_entelligence;
flowbits:noalert; threshold:type limit, track by_src, seconds 60,
count 1; reference:url,www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider;
classtype:trojan-activity; sid:2610225; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TGI HUNT Possible
Cobalt Strike Extra Whitespace HTTP Response";
flow:established,to_client; content:"HTTP/1.1|20|200|20|OK|20 0d
0a|Content-Type|3a|"; flowbits:isnotset,hunt.entrust_entelligence;
content:!"WEBrick"; http_header;
reference:url,github.com/fox-it/cobaltstrike-extraneous-space;
threshold:type limit, track by_src, seconds 60, count 1;
classtype:trojan-activity; sid:2610227; rev:3;)

feedback welcomed


More information about the Emerging-sigs mailing list