def analyze(self, topic, data, cert): if topic != "scan": return False, None C = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.country') L = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.locality') ST = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.province') O = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organization') OU = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organizational_unit') if (C and C[0]=='') or (L and L[0] == '') or (ST and ST[0] == '') or (O and O[0] == '') or (OU and OU[0] == ''): allowed_hashes = { "4f8c042aa2987ce4d06797a84b2f832d", } if CSHash(cert) in allowed_hashes: serial = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.serial_number') if int(serial) == 146473198: return True, "CobaltStrike Default Certificate" else: return True, "CobaltStrike C2" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None validity = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.validity.length') issuer_dn = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "C=XX, L=Default City, O=Default Company Ltd" and int(validity) == 172800000: allowed_hashes = { "d29c030a2687b4e3364811e73700c523", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_dn = deep_get(data,'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "O=FASTVPS, CN=parking": allowed_hashes = { "0a8940ab07f7dbfabc238c80edb05426", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None CN = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.common_name') OU = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organizational_unit') EMAIL = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.email_address') if (CN and OU and EMAIL and EMAIL[0] == OU[0] + "@" + CN[0]): allowed_hashes = { "b432fd10cb96cd7c0d6d07d8ad2afd73", } if CSHash(cert) in allowed_hashes: return True, "Metasploit C2" return False, None