""ET TROJAN Cobalt Strike Malleable C2 Amazon Profile Variant (GET)""

SID: 2037096

Revision: 1

Class Type: trojan-activity

Metadata: attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, deployment SSLDecrypt, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "GET"

• Value: "/s/re1f=n1b_s1b_n1oss_1/1617-3222948188-02162949/fie1ld-keyw1ords=bo1oks"

• Value: "Cook1ie|3a 20|skin=nosk111in|3b|"

Within:

PCRE:

Special Options:

• http_method

• http_uri

• http_header

• fast_pattern

source