[Snort-sigs] CobaltStrike certificate

rmkml rmkml at ...4129...
Mon Dec 12 15:47:15 EST 2016


Hi Joshua,

Could you try with disabling cksum verification please ? (-k none)

Best Regards
@Rmkml

On Mon, 12 Dec 2016, joshua burgess wrote:

> 
> I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity.  I have the thumbprint "6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial
> number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats.
> 
> 
> That being said... What's wrong with this rule:
> 
> 
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046;
> rev:1;)
> 
> I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.
> 
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|";
> content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0;
> content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0;
> content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)
> 
> My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network).
> 
> 
> Thanks for any help.
> 
>


More information about the Snort-sigs mailing list