๐Ÿพ - โš  Suspicious TLSv1.2 connection from ๐ŸชŸ Windows 10 socket to public IP address - Possible โ˜  Meterpreter / Cobalt Strike / other C2 - Certuil

SID: 3300712Rev: 66 views
History
Sourcepawpatrules
CreatedJune 29, 2021
UpdatedJuly 30, 2024
Classificationtrojan-activity
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"๐Ÿพ - โš  Suspicious TLSv1.2 connection from ๐ŸชŸ Windows 10 socket to public IP address - Possible โ˜  Meterpreter / Cobalt Strike / other C2 - Certuil"; flow:to_server, stateless; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; metadata:former_category JA3; reference:url,https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; reference:url,https://thedfirreport.com/2020/10/08/ryuks-return/; reference:url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference:url,https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Certutil/#download; target:src_ip; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1218_005, mitre_technique_name System_Binary_Proxy_Execution_Mshta, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2021_06_29, updated_at 2024_07_30; sid:3300712; rev:6; classtype:trojan-activity;)

References

urlhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
urlhttps://thedfirreport.com/2020/10/08/ryuks-return/
urlhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/
urlhttps://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967
urlhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/#download

Metadata

former categoryJA3

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!