[Snort-sigs] CobaltStrike certificate

Joel Esler (jesler) jesler at ...3865...
Mon Dec 12 16:02:00 EST 2016


Joshua,

Can you grab a pcap?


--
Joel Esler | Talos: Manager | jesler at ...3865...<mailto:jesler at ...3865...>






On Dec 12, 2016, at 3:30 PM, joshua burgess <avonyxx at ...12...<mailto:avonyxx at ...12...>> wrote:

I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity.  I have the thumbprint "6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats.

That being said... What's wrong with this rule:


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)

My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network).

Thanks for any help.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org<http://www.snort.org/>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161212/0fd0f50b/attachment.html>


More information about the Snort-sigs mailing list