title: BabyShark Agent Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: experimental
description: Detects Baby Shark C2 Framework communication patterns
references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021/06/09
modified: 2022/08/15
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 'momyshark\?key='
    condition: selection
falsepositives:
    - Unknown
level: critical