Identifying Cobalt Strike team servers in the wild

摘要

Identifying Cobalt Strike team servers in the wild
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

Cobalt Strike 的组件 NanoHTTPD 存在一些明显的 HTTP 层面的指纹，在 HTTP 响应头中多使用了一个空格，官方称在 2019年1月的 3.13 版本更新 change log 中声称已修复该问题。
由于有部分团队使用破解版的 Cobalt Strike, 所以该检测规则将持续有效。

https://github.com/rsmudge/Malleable-C2-Profiles

Read More

ZoomEye dork reveals malicious Cobalt Strike C2 servers.

"HTTP/1.1 404 Not Found
Content-Type: text/plain
Date:"+"
Content-Length: 0"

Identifying Cobalt Strike team servers in the wild by using ZoomEye
https://medium.com/@80vul/identifying-cobalt-strike-team-servers-in-the-wild-by-using-zoomeye-debf995b6798

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1+404+Not+Found+++Content-Type%3A+text%2Fplain+Date%3A%22+%2B%22Content-Length%3A+0%22+-Connection

• #Blue Team
• #Red Team
• #Threat Inteligence