[Emerging-Sigs] CobaltStrike extra space sigs

Jason Williams jwilliams at emergingthreats.net
Wed Feb 12 10:44:01 HST 2020


Thanks for sharing tgreen! Will get this in for QA today

On Wed, Feb 12, 2020 at 10:29 AM Travis Green via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hey team,
> Was chatting with friends when the subject of extra space in Cobalt
> Strike HTTP listener (credit to FoxIt) came up. I had crafted some
> sigs a while back as part of the TGI HUNT rules
> (github.com/travisbgreen/hunting-rules) and thought I would share
> them:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TGI HUNT Entrust
> Entelligence Security Provider (Flowbits Set)";
> flow:established,to_server; content:"Entrust Entelligence Security
> Provider"; http_user_agent; flowbits:set,hunt.entrust_entelligence;
> flowbits:noalert; threshold:type limit, track by_src, seconds 60,
> count 1; reference:url,
> www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider
> ;
> classtype:trojan-activity; sid:2610225; rev:1;)
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"TGI HUNT Possible
> Cobalt Strike Extra Whitespace HTTP Response";
> flow:established,to_client; content:"HTTP/1.1|20|200|20|OK|20 0d
> 0a|Content-Type|3a|"; flowbits:isnotset,hunt.entrust_entelligence;
> content:!"WEBrick"; http_header;
> reference:url,github.com/fox-it/cobaltstrike-extraneous-space;
> threshold:type limit, track by_src, seconds 60, count 1;
> classtype:trojan-activity; sid:2610227; rev:3;)
>
> feedback welcomed
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200212/45250d01/attachment.html>


More information about the Emerging-sigs mailing list