Detectionhightest

Default Cobalt Strike Certificate

Detects the presence of default Cobalt Strike certificate in the HTTPS traffic

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Bhabesh RajCreated Wed Jun 23Updated Sun Oct 097100f7e3-92ce-4584-b7b7-01b40d3d4118network

Log Source

Zeek (Bro)x509

ProductZeek (Bro)← raw: zeek

Servicex509← raw: x509

Detection Logic

detection:
    selection:
        certificate.serial: 8BB00EE
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Software

Rule Metadata

Rule ID

7100f7e3-92ce-4584-b7b7-01b40d3d4118

Status

test

Level

high

Type

Detection

Created

Wed Jun 23

Modified

Sun Oct 09

Author

Path

rules/network/zeek/zeek_default_cobalt_strike_certificate.yml

Raw Tags

attack.command-and-controlattack.s0154