Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (MSDN Query Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&ac="; content:!"&refinement="; content:"/Search/en-US?query="; content:"&pgArea=header"; distance:150; endswith; content:!"."; pcre:"/^\/Search\/en-US\?query=[a-z]{200,400}&pgArea=header$/"; http.header; content:"|0d 0a|Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|"; fast_pattern; http.cookie; content:"MUID="; depth:5; content:"|3b|"; distance:32; within:1; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, malware_family Cobalt_Strike, malware_family Cobalt_Strike, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2024_05_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)