Snort mailing list archives

Re: CobaltStrike certificate

From: rmkml <rmkml () ligfy org>
Date: Mon, 12 Dec 2016 21:47:15 +0100 (CET)

Hi Joshua,

Could you try with disabling cksum verification please ? (-k none)

Best Regards
@Rmkml

On Mon, 12 Dec 2016, joshua burgess wrote:


I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity.  I 
have the thumbprint "6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial
number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much 
else in the way of distinguishing attributes since it has no Issuer stats.


That being said... What's wrong with this rule:


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce  5e 
ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046;
rev:1;)

I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; 
flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|";
content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; 
distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0;
content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; 
distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0;
content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)

My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and 
they are on the same monitoring network).


Thanks for any help.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

CobaltStrike certificate joshua burgess (Dec 12)
- Re: CobaltStrike certificate rmkml (Dec 12)
- Re: CobaltStrike certificate Joel Esler (jesler) (Dec 12)
- Re: CobaltStrike certificate wkitty42 (Dec 12)