HackTool - BabyShark Agent Default URL Pattern

Aug 12, 2024 · attack.command-and-control attack.t1071.001 ·

Detects Baby Shark C2 Framework default communication patterns

Sigma rule (View on GitHub)

 1title: HackTool - BabyShark Agent Default URL Pattern
 2id: 304810ed-8853-437f-9e36-c4975c3dfd7e
 3status: test
 4description: Detects Baby Shark C2 Framework default communication patterns
 5references:
 6    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
 7author: Florian Roth (Nextron Systems)
 8date: 2021-06-09
 9modified: 2024-02-15
10tags:
11    - attack.command-and-control
12    - attack.t1071.001
13logsource:
14    category: proxy
15detection:
16    selection:
17        c-uri|contains: 'momyshark\?key='
18    condition: selection
19falsepositives:
20    - Unlikely
21level: critical

References

Understanding & Detecting C2 Frameworks — BabyShark

doo, doo, doo, doo, doo, doo

Read More

Related rules

APT User Agent
APT40 Dropbox Tool User Agent
Bitsadmin to Uncommon IP Server Address
Bitsadmin to Uncommon TLD
Chafer Malware URL Pattern

HackTool - BabyShark Agent Default URL Pattern

Sigma rule (View on GitHub)

References

Understanding & Detecting C2 Frameworks — BabyShark

Related rules