Default Cobalt Strike Certificate

Aug 12, 2024 · attack.command-and-control attack.s0154 ·

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Sigma rule (View on GitHub)

 1title: Default Cobalt Strike Certificate
 2id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 3status: test
 4description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
 5references:
 6    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
 7author: Bhabesh Raj
 8date: 2021-06-23
 9modified: 2022-10-09
10tags:
11    - attack.command-and-control
12    - attack.s0154
13logsource:
14    product: zeek
15    service: x509
16detection:
17    selection:
18        certificate.serial: 8BB00EE
19    condition: selection
20fields:
21    - san.dns
22    - certificate.subject
23    - certificate.issuer
24falsepositives:
25    - Unknown
26level: high

References

Improving network-based detection of in-the-wild Cobalt Strike C2 servers while reducing the risk…

Context

Read More

Default Cobalt Strike Certificate

Sigma rule (View on GitHub)

References

Improving network-based detection of in-the-wild Cobalt Strike C2 servers while reducing the risk…

Related rules