valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5f6a4225ec
SigmaHQ/rules/proxy/proxy_cobalt_amazon.yml
Thomas Patzke 5f6a4225ec Unified line terminators of rules to Unix
2019-11-12 23:05:36 +01:00

28 lines
1019 B
YAML
Raw Blame History

title: CobaltStrike Malleable Amazon browsing traffic profile
status: experimental
description: Detects Malleable Amazon Profile
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
tags:
- attack.t1102
logsource:
category: proxy
detection:
selection1:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'GET'
URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
Host: 'www.amazon.com'
Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection2:
UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
HttpMethod: 'POST'
URL: '/N4215/adj/amzn.us.sr.aps'
Host: 'www.amazon.com'
condition: selection1 or selection2
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink