
Summary
This detection rule focuses on identifying specific patterns associated with Cobalt Strike Malleable Profiles, particularly those that leverage proxy communication methods. The rule examines various attributes of HTTP traffic, including User-Agent strings, HTTP methods, and URIs, to detect malicious activity indicative of Cobalt Strike command-and-control traffic. It utilizes multiple selection conditions for different patterns found in legitimate services like Amazon, OneDrive, and other URIs that might be exploited by attackers. Detection is triggered if traffic matches certain specified selections (like User-Agent strings and URIs) and does not match pre-defined filters which could lead to false positives. The rule is classified with a high level of severity due to the critical nature of command-and-control communications in malware operations.
Categories
- Network
- Web
Data Sources
- Network Traffic
- Web Credential
- Application Log
Created: 2024-02-15