
Summary
This rule is designed to detect the use of the default Cobalt Strike certificate in HTTPS traffic as an indicator of potential command-and-control (C2) activities associated with Cobalt Strike frameworks. It operates by analyzing the serial number of SSL/TLS certificates presented during network communications and looking specifically for a certificate serial number that matches the known default value used by Cobalt Strike, which is '8BB00EE'. When this condition is met, it raises an alert due to the high potential for malicious use typically associated with this security tool. The rule leverages Zeek (formerly known as Bro), a powerful network analysis framework, to monitor x509 certificate particulars including the Subject Alternative Name (SAN) DNS entries, the certificate subject, and the issuer to provide context for alerts.
Categories
- Network
- Cloud
- Infrastructure
Data Sources
- Network Traffic
- Certificate
- Application Log
Created: 2021-06-23