rule: cobaltstrike malformed UAs

2024-11-06 09:25:17 +00:00 · 2021-05-10 12:43:14 +02:00 · 2021-05-10 12:43:14 +02:00 · 416030a85f
commit 416030a85f
parent fcb7aa3bcf
1 changed files with 25 additions and 0 deletions
--- a/rules/proxy/proxy_cobalt_malformed_uas.yml
+++ b/rules/proxy/proxy_cobalt_malformed_uas.yml
@ -0,0 +1,25 @@
+title: CobaltStrike Malformed UAs in Malleable Profiles
+id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
+status: experimental
+description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
+author: Florian Roth
+date: 2021/05/06
+references:
+  - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
+logsource:
+  category: proxy
+detection:
+  selection:
+    c-useragent: 
+        - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
+        - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
+        - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
+  condition: selection
+falsepositives:
+  - Unknown
+level: critical
+tags:
+  - attack.defense_evasion
+  - attack.command_and_control
+  - attack.t1071.001
+  - attack.t1043  # an old one