[Emerging-Sigs] SIG: ET TROJAN Default CobaltStrike SSL Certificate

Kevin Ross kevross33 at googlemail.com
Wed May 6 03:24:09 HDT 2020


Hi,

Default CobaltStrike cert detection based on
https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html
 .

You can see examples of this here
https://censys.io/certificates?q=cobaltstrike

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Default
CobaltStrike SSL Certificate"; flow:established,to_client; tls_cert_issuer;
content:"C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike,
OU=AdvancedPenTesting, CN=Major Cobalt Strike"; nocase;
classtype:trojan-activity; reference:url,www.cobaltstrike.com; sid:144411;
rev:1;)


Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200506/b2323a3b/attachment.html>


More information about the Emerging-sigs mailing list