title: CobaltStrike Malleable (OCSP) Profile
status: experimental
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
tags:
    - attack.t1102
logsource:
    category: proxy
detection:
    selection:
      URL: '*/oscp/*'
      Host: 'ocsp.verisign.com'
     
    condition: selection 
falsepositives:
    - Unknown
level: high