From 17cf79d076289e2cac7739ee1a4e68b3904e5696 Mon Sep 17 00:00:00 2001 From: Andrew Pease <7442091+peasead@users.noreply.github.com> Date: Wed, 9 Dec 2020 14:49:31 -0600 Subject: [PATCH] [New Rule] Default Cobalt Strike Team Server Certificate (#358) * initial commit * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated to include sub-techniques Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...cobalt_strike_default_teamserver_cert.toml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml new file mode 100644 index 000000000..de261f611 --- /dev/null +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2020/10/05" +maturity = "production" +updated_date = "2020/12/09" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for +Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques +of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications +to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the +Reference section for additional information on module configuration. +""" +index = ["filebeat-*", "packetbeat-*"] +language = "kuery" +license = "Elastic License" +name = "Default Cobalt Strike Team Server Certificate" +note = "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly." +references = [ + "https://attack.mitre.org/software/S0154/", + "https://www.cobaltstrike.com/help-setup-collaboration", + "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", + "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", +] +risk_score = 100 +rule_id = "e7075e8d-a966-458e-a183-85cd331af255" +severity = "critical" +tags = [ + "Command and Control", + "Post-Execution", + "Threat Detection, Prevention and Hunting", + "Elastic", + "Network", +] +type = "query" + +query = ''' +event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or + tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or + tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[rule.threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"