title: CobaltStrike Malleable OneDrive browsing traffic profile
id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
status: experimental
description: Detects Malleable OneDrive Profile
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
author: Markus Neis
tags:
    - attack.t1102
logsource:
    category: proxy
detection:
    selection:
      cs-method: 'GET'
      c-uri: '*?manifest=wac'
      cs-host: 'onedrive.live.com'
    filter:
      c-uri: 'http*://onedrive.live.com/*'     
    condition: selection and not filter
falsepositives:
    - Unknown
level: high