Discussion:
[Snort-sigs] CobaltStrike certificate
joshua burgess
2016-12-12 20:30:44 UTC
Permalink
I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity. I have the thumbprint "6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats.


That being said... What's wrong with this rule:


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)

My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network).

Thanks for any help.
rmkml
2016-12-12 20:47:15 UTC
Permalink
Hi Joshua,

Could you try with disabling cksum verification please ? (-k none)

Best Regards
@Rmkml

On Mon, 12 Dec 2016, joshua burgess wrote:

>
> I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity.  I have the thumbprint "6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial
> number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats.
>
>
> That being said... What's wrong with this rule:
>
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce  5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046;
> rev:1;)
>
> I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|";
> content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0;
> content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0;
> content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)
>
> My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network).
>
>
> Thanks for any help.
>
>
joshua burgess
2017-01-24 19:22:03 UTC
Permalink
So this is what I came up with to cover the latest vulnerability disclosed by Tavis regarding the Webex plugin in Chrome\FF.


Let me know what you think:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"STE-5803 - Cisco: Magic WebEx URL"; flow:established,to_server; content:"GET"; http_method; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; within:70; content:"HTTP/1.1"; within:15; content:"User-Agent|3a| WebExRA"; http_header; content:!".webex.com"; http_header; content:!"webex.com"; http_header; reference:url,https://bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:trojan-activity; sid:6000051; rev:1;)



Backstory:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1096
Patrick Mullen
2017-01-25 14:43:19 UTC
Permalink
Josh,

Thanks for the submission! We released side 41409 yesterday for this,
which is essentially a stripped-down version of what you wrote. We've
moved our rule over to the community ruleset to make it available to
everyone immediately.

Here is what we released:


content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html";
fast_pattern:only; http_uri;

And that's it. Our version didn't have the other checks because we felt
that URI was so specific that it wouldn't have problems with False
Positives and by specifying the http_uri buffer, snort has assured us that
the packet is an HTTP packet and will have things like the http_method and
protocol version. We also felt that the check for the User-Agent, while
narrowing the request down to the official client, could open our rule up
to False Negatives when someone used another (or custom) client to make the
request.

Thank you again for the rule submission! If you have any more in the
future, please be sure to let us know!


Thanks,

~Patrick
--
Patrick Mullen
Response Research Manager
Cisco TALOS
Joel Esler (jesler)
2016-12-12 21:02:00 UTC
Permalink
Joshua,

Can you grab a pcap?


--
Joel Esler | Talos: Manager | ***@cisco.com<mailto:***@cisco.com>






On Dec 12, 2016, at 3:30 PM, joshua burgess <***@hotmail.com<mailto:***@hotmail.com>> wrote:

I'm trying to generate a SNORT signature that looks for a specific certificate used by CobaltStrike for C2 (beacon) activity. I have the thumbprint "6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c" and serial number "08 bb 00 ee" (which I don't think I need)... How can I write a rule to look for that? I really don't have much else in the way of distinguishing attributes since it has no Issuer stats.

That being said... What's wrong with this rule:


alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert"; flow:established,from_server; content:"|6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

I saw some other sigs on ET and specifically this one which looks for blank issuer fields but that's not working either.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ETPRO INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; content:"|55 04 06 13 00|"; fast_pattern:only; content:"|16|"; content:"|02|"; distance:0; within:8; content:"|55 04 06|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 08|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 07|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0a|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 0b|"; distance:0; content:"|00|"; distance:1; within:2; content:"|55 04 03|"; distance:0; content:"|00|"; distance:1; within:2; classtype:trojan-activity; sid:2822815; rev:1;)

My FireEye box is firing for the SSL certificate is firing for the CobaltStrike activity but my IDS rules are NOT (and they are on the same monitoring network).

Thanks for any help.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org<http://slashdot.org/>! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-***@lists.sourceforge.net<mailto:Snort-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org<http://www.snort.org/>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
w***@windstream.net
2016-12-12 21:33:27 UTC
Permalink
On 12/12/2016 03:30 PM, joshua burgess wrote:
> That being said... What's wrong with this rule:
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CobaltStrike SSL cert";
> flow:established,from_server; content:"|6e ce 5e ce 41 92 68 3d 2d 84 e2 5b 0b
> a7 e0 4f 9c b7 eb 7c|"; classtype:trojan-activity; sid:6000046; rev:1;)

is that extra space really in the thumb print?

s/6e ce 5e/6e ce 5e/

??

--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Loading...