[Emerging-Sigs] SIG: ET TROJAN Default CobaltStrike SSL Certificate

Kevin Ross kevross33 at googlemail.com
Thu May 7 05:00:21 HDT 2020


For those interested (although many will already be doing this) this talk
is interesting around locating stuff like this
https://github.com/aaronst/talks/blob/master/scanttouchthis.pdf.

For instance in shodan searches like "dev.metasploit.com; font-src" or
ssl:"MetasploitSelfSignedCA" good for locating spun up metasploit instances
on the Internet. Using similar filters you can pivot off stuff to say hunt
down campaigns around things like CobaltStrike using other certs based on
other indicators. These indicators may not be present in actual compromise
traffic but are useful to locate to determine domains, IPs, certificates
etc. in use.

On Wed, 6 May 2020 at 13:24, Kevin Ross <kevross33 at googlemail.com> wrote:

> Hi,
>
> Default CobaltStrike cert detection based on
> https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html
>  .
>
> You can see examples of this here
> https://censys.io/certificates?q=cobaltstrike
>
> alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Default
> CobaltStrike SSL Certificate"; flow:established,to_client; tls_cert_issuer;
> content:"C=Earth, ST=Cyberspace, L=Somewhere, O=cobaltstrike,
> OU=AdvancedPenTesting, CN=Major Cobalt Strike"; nocase;
> classtype:trojan-activity; reference:url,www.cobaltstrike.com;
> sid:144411; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200507/800ecd6f/attachment-0001.html>


More information about the Emerging-sigs mailing list