title: CobaltStrike Malleable OneDrive Browsing Traffic Profile id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc status: experimental description: Detects Malleable OneDrive Profile author: Markus Neis date: 2019/11/12 modified: 2020/11/28 references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile logsource: category: proxy detection: selection: cs-method: 'GET' c-uri|endswith: '?manifest=wac' cs-host: 'onedrive.live.com' filter: c-uri|startswith: 'http' c-uri|contains: '://onedrive.live.com/' condition: selection and not filter falsepositives: - Unknown level: high tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - attack.t1043 # an old one