security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/web/proxy_generic/proxy_cobalt_malformed_uas.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

28 lines
970 B
YAML
Raw Blame History

title: CobaltStrike Malformed UAs in Malleable Profiles
id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
status: test
description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
references:
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
author: Florian Roth (Nextron Systems)
date: 2021/05/06
modified: 2022/12/25
tags:
- attack.defense_evasion
- attack.command_and_control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection2:
c-useragent|endswith: '; MANM; MANM)'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink