rules/proxy/proxy_cobalt_ocsp.yml

title: CobaltStrike Malleable (OCSP) Profile
id: 37325383-740a-403d-b1a2-b2b4ab7992e7
status: experimental
description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
author: Markus Neis
tags:
    - attack.t1102
logsource:
    category: proxy
detection:
    selection:
      c-uri: '*/oscp/*'
      cs-host: 'ocsp.verisign.com'
     
    condition: selection 
falsepositives:
    - Unknown
level: high
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`title: CobaltStrike Malleable (OCSP) Profile`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 37325383-740a-403d-b1a2-b2b4ab7992e7`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00			`status: experimental`
			`description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL`
			`references:`
			`- https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile`
			`author: Markus Neis`
			`tags:`
			`- attack.t1102`
			`logsource:`
			`category: proxy`
			`detection:`
			`selection:`
Fixed proxy rule field names 2019-12-07 00:11:33 +01:00			`c-uri: '/oscp/'`
			`cs-host: 'ocsp.verisign.com'`
Unified line terminators of rules to Unix 2019-11-12 23:05:36 +01:00
			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`