🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket / Powershell / Curl to public IP address - Possible ☠ Meterpreter / Cobalt Strike / PoshC2 / other C2 - Suricata Rule 3300716 (pawpatrules)

🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket / Powershell / Curl to public IP address - Possible ☠ Meterpreter / Cobalt Strike / PoshC2 / other C2

SID: 3300716Rev: 24 views

Sourcepawpatrules

CreatedMarch 17, 2023

UpdatedDecember 4, 2023

Classificationtrojan-activity

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket / Powershell / Curl to public IP address - Possible ☠ Meterpreter / Cobalt Strike / PoshC2 / other C2"; flow:to_server, stateless; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; metadata:former_category JA3; reference:url,https://old.zeek.org/brocon2018/slides/Jeff_Atkinson._Fingerprinting_Encrypted.pptx; reference:url,https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/; reference:url,https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; metadata:created_at 2023_03_17, updated_at 2023_12_04; sid:3300716; rev:2; classtype:trojan-activity;)

References

url	https://old.zeek.org/brocon2018/slides/Jeff_Atkinson._Fingerprinting_Encrypted.pptx
url	https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/
url	https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/

🐾 - ⚠ Suspicious TLSv1.2 connection from 🪟 Windows 10 socket / Powershell / Curl to public IP address - Possible ☠ Meterpreter / Cobalt Strike / PoshC2 / other C2

References

Metadata

Comments (0)