[Emerging-Sigs] CobaltStrike extra space sigs

Travis Green travis.green at protectwise.com
Wed Feb 12 07:29:17 HST 2020

Hey team,
Was chatting with friends when the subject of extra space in Cobalt
Strike HTTP listener (credit to FoxIt) came up. I had crafted some
sigs a while back as part of the TGI HUNT rules
(github.com/travisbgreen/hunting-rules) and thought I would share

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TGI HUNT Entrust
Entelligence Security Provider (Flowbits Set)";
flow:established,to_server; content:"Entrust Entelligence Security
Provider"; http_user_agent; flowbits:set,hunt.entrust_entelligence;
flowbits:noalert; threshold:type limit, track by_src, seconds 60,
count 1; reference:url,www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider;
classtype:trojan-activity; sid:2610225; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TGI HUNT Possible
Cobalt Strike Extra Whitespace HTTP Response";
flow:established,to_client; content:"HTTP/1.1|20|200|20|OK|20 0d
0a|Content-Type|3a|"; flowbits:isnotset,hunt.entrust_entelligence;
content:!"WEBrick"; http_header;
threshold:type limit, track by_src, seconds 60, count 1;
classtype:trojan-activity; sid:2610227; rev:3;)

feedback welcomed

More information about the Emerging-sigs mailing list