Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip,|20|deflate,|20|br|0d 0a|sec-fetch-dest|3a 20|empty|0d 0a|"; http.cookie; content:"ANID="; startswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:md5,4d9798fee3636a228dc420d338fd6f59; classtype:command-and-control; sid:2033796; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, malware_family Cobalt_Strike, confidence Medium, signature_severity Major, updated_at 2023_04_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)