Re: CobaltStrike certificate

["Joel Esler (jesler)" <jesler () cisco com>]

Joshua,

Can you grab a pcap?


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>






On Dec 12, 2016, at 3:30 PM, joshua burgess <avonyxx () hotmail com<mailto:avonyxx () hotmail com>> wrote:

I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) 
activity.  I have the thumbprint "6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial number "08 
bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the 
way of distinguishing attributes since it has no Issuer stats.

That being said... What's wrong with this rule:


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e 
ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt 
Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; 
distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; 
distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; 
within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; 
content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; 
classtype:trojan-activity; sid:2822815; rev:1;)

My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and 
they are on the same monitoring network).

Thanks for any help.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! 
http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org<http://www.snort.org/>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!