valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
539756c884
SigmaHQ/rules/proxy/proxy_cobalt_malformed_uas.yml
Florian Roth 416030a85f rule: cobaltstrike malformed UAs
2021-05-10 12:43:14 +02:00

26 lines
870 B
YAML
Raw Blame History

title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: experimental
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
author: Florian Roth
date: 2021/05/06
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
logsource:
category: proxy
detection:
selection:
c-useragent:
- "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
- "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
- "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
- attack.t1043 # an old one
Reference in New Issue View Git Blame Copy Permalink