Versions (4)
Version DetailsCurrent
Rev: 1 • Mar 19, 2025, 4:38 PMTGI HUNT CobaltStrike Artifact in DNS
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"TGI HUNT CobaltStrike Artifact in DNS"; flow:established,to_server; dns_query; content:".resources.123456."; reference:url,threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/; classtype:trojan-activity; sid:2610450; rev:1;)
Mar 19, 2025, 4:38 PM
Mar 19, 2025, 4:38 PM
Jul 29, 2025, 5:35 PM
Jul 29, 2025, 5:35 PM
hunting.rules