rules/web/proxy_generic/proxy_cobalt_amazon.yml

title: CobaltStrike Malleable Amazon Browsing Traffic Profile
id: 953b895e-5cc9-454b-b183-7f3db555452e
status: test
description: Detects Malleable Amazon Profile
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
author: Markus Neis
date: 2019/11/12
modified: 2022/07/07
tags:
    - attack.defense_evasion
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection1:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'GET'
        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
        cs-host: 'www.amazon.com'
        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
    selection2:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'POST'
        c-uri: '/N4215/adj/amzn.us.sr.aps'
        cs-host: 'www.amazon.com'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: CobaltStrike Malleable Amazon Browsing Traffic Profile`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 953b895e-5cc9-454b-b183-7f3db555452e`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`description: Detects Malleable Amazon Profile`
Second round 2020-09-15 07:02:30 -06:00			`references:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile`
			`- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`author: Markus Neis`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`date: 2019/11/12`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`modified: 2022/07/07`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`tags:`
			`- attack.defense_evasion`
			`- attack.command_and_control`
			`- attack.t1071.001`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`logsource:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`category: proxy`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`detection:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`selection1:`
			`c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'`
			`cs-method: 'GET'`
			`c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'`
			`cs-host: 'www.amazon.com'`
			`cs-cookie\|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK\|1419899012996'`
			`selection2:`
			`c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'`
			`cs-method: 'POST'`
			`c-uri: '/N4215/adj/amzn.us.sr.aps'`
			`cs-host: 'www.amazon.com'`
Update proxy_cobalt_amazon.yml 2022-07-07 15:29:46 +01:00			`condition: 1 of selection*`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`falsepositives:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`- Unknown`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`level: high`