[Emerging-Sigs] SIG: ET TROJAN Default CobaltStrike SSL Certificate

Jack Mott jmott at emergingthreats.net
Wed May 6 07:05:20 HDT 2020


Hey Kevin!

Thanks for sending this in, we will get it into QA for today's release.

Best,

Jack

On Wed, May 6, 2020 at 6:24 AM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hi,
>
> Default CobaltStrike cert detection based on
> https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html
>  .
>
> You can see examples of this here
> https://censys.io/certificates?q=cobaltstrike
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Default
> CobaltStrike SSL Certificate"; flow:established,to_client; tls_cert_issuer;
> content:"C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike,
> OU=AdvancedPenTesting, CN=Major Cobalt Strike"; nocase;
> classtype:trojan-activity; reference:url,www.cobaltstrike.com;
> sid:144411; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200506/2b6c2f1b/attachment-0001.html>


More information about the Emerging-sigs mailing list