Skip to content

Latest commit

 

History

History
39 lines (32 loc) · 1.39 KB

MATCH-S00488.md

File metadata and controls

39 lines (32 loc) · 1.39 KB

Rules: Backdoor.HTTP.BEACON.[CSBundle USAToday GET]

Description

From FireEye Red Team Tool Countermeasures: Network detection rule that looks for specific HTTP headers and URI content. This is related to the HTTP GET request content designated within the Cobalt Strike malleable C2 profile.

Additional Details

Detail Value
Type Templated Match
Category Command and Control
Apply Risk to Entities device_ip, device_hostname, srcDevice_hostname, srcDevice_ip, user_username
Signal Name Backdoor.HTTP.BEACON.[CSBundle USAToday GET]
Summary Expression Suspicious HTTP Request Headers to URL: {{http_url}} on destination host: {{dstDevice_ip}}
Score/Severity Static: 5
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001

Vendors and Products

Fields Used

Origin Field
Normalized Schema bro_http_request_headers['ACCEPT']
Normalized Schema bro_http_request_headers['CONNECTION']
Normalized Schema bro_http_request_headers['COOKIE']
Normalized Schema device_hostname
Normalized Schema device_ip
Normalized Schema http_method
Normalized Schema http_url
Normalized Schema objectType
Normalized Schema srcDevice_hostname
Normalized Schema srcDevice_ip
Normalized Schema user_username