Default Cobalt Strike Certificate

Oct 25, 2022 · attack.command_and_control attack.s0154 ·

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Sigma rule (View on GitHub)

 1title: Default Cobalt Strike Certificate
 2id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 3status: test
 4description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
 5references:
 6    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
 7author: Bhabesh Raj
 8date: 2021/06/23
 9modified: 2022/10/09
10tags:
11    - attack.command_and_control
12    - attack.s0154
13logsource:
14    product: zeek
15    service: x509
16detection:
17    selection:
18        certificate.serial: 8BB00EE
19    condition: selection
20fields:
21    - san.dns
22    - certificate.subject
23    - certificate.issuer
24falsepositives:
25    - Unknown
26level: high

References

Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the…

Context

Read More

Default Cobalt Strike Certificate

Sigma rule (View on GitHub)

References

Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the…

Related rules