BabyShark Pattern

rules/proxy/proxy_baby_shark.yml

@@ -0,0 +1,20 @@
+title: BabyShark Agent Pattern
+id: 304810ed-8853-437f-9e36-c4975c3dfd7e
+status: experimental
+description: Detects Baby Shark C2 Framework communcation patterns
+author: Florian Roth
+date: 2021/06/09
+references:
+    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri|contains: 'momyshark?key='
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.command_and_control
+    - attack.t1071.001