Snort mailing list archives
Re: CobaltStrike certificate
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 12 Dec 2016 21:02:00 +0000
Joshua, Can you grab a pcap? -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Dec 12, 2016, at 3:30 PM, joshua burgess <avonyxx () hotmail com<mailto:avonyxx () hotmail com>> wrote: I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity. I have the thumbprint "6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats. That being said... What's wrong with this rule: alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;) I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either. alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;) My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network). Thanks for any help. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- CobaltStrike certificate joshua burgess (Dec 12)
- Re: CobaltStrike certificate rmkml (Dec 12)
- Re: CobaltStrike certificate Joel Esler (jesler) (Dec 12)
- Re: CobaltStrike certificate wkitty42 (Dec 12)