def analyze(self, topic, data, cert): if topic != "scan": return False, None C = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.country') L = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.locality') ST = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.province') O = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organization') OU = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organizational_unit') if (C and C[0]=='') or (L and L[0] == '') or (ST and ST[0] == '') or (O and O[0] == '') or (OU and OU[0] == ''): allowed_hashes = { "4f8c042aa2987ce4d06797a84b2f832d", } if CSHash(cert) in allowed_hashes: serial = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.serial_number') if int(serial) == 146473198: return True, "CobaltStrike Default Certificate" else: return True, "CobaltStrike C2" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_common_name = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer.common_name') if issuer_common_name: issuer_common_name = issuer_common_name[0] else: return False, None subject_common_name = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.common_name') if subject_common_name: subject_common_name = subject_common_name[0] else: return False, None upper = False lower = False prefix_length = 0 dot = False banned = False incorrect = False for i in range(len(subject_common_name)): if subject_common_name[i] == '.': if dot: incorrect = True dot = True prefix_length = i elif subject_common_name[i].isupper() and not dot: upper = True elif subject_common_name[i].islower() and not dot: lower = True elif subject_common_name[i] == '-': banned = True correct_pattern = upper and lower and dot and prefix_length == 10 and not banned and not incorrect validity = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.validity.length') key_length = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject_key_info.rsa_public_key.length') if correct_pattern \ and issuer_common_name == subject_common_name \ and int(validity) == 31536000 \ and int(key_length) == 2048: allowed_hashes = { "108d4ee4b9f3cd5c0efba8af2dab5009", } if CSHash(cert) in allowed_hashes: return True, "cluster-3" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None allowed_hashes = { "f9e75ad1b99357a7df5bc2325a36d30c", } if CSHash(cert) in allowed_hashes: return True, "Pupy C2" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_dn = deep_get(data,'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "C=XX, ST=1, L=1, O=1, OU=1, CN=*": allowed_hashes = { "b00e2855520f59644754e8bfa6dc1821", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_dn = deep_get(data,'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd": allowed_hashes = { "3fbc3c90292240b7a5e5ff9a7130d59c", } if CSHash(cert) in allowed_hashes: return True, "cluster-4" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_dn = deep_get(data,'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com": allowed_hashes = { "b00e2855520f59644754e8bfa6dc1821", "612c9021db95bd4323cbcd3d00fedca7", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None validity = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.validity.length', "0") if int(validity) == 315446400: allowed_hashes = { "1ce2b13bea04aaccc85e2725f8d1e7f4", } if CSHash(cert) in allowed_hashes: return True, "Covenant c2" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None validity = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.validity.length') issuer_dn = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "C=XX, L=Default City, O=Default Company Ltd" and int(validity) == 172800000: allowed_hashes = { "d29c030a2687b4e3364811e73700c523", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None issuer_dn = deep_get(data,'data.tls.result.handshake_log.server_certificates.certificate.parsed.issuer_dn') if issuer_dn == "O=FASTVPS, CN=parking": allowed_hashes = { "0a8940ab07f7dbfabc238c80edb05426", } if CSHash(cert) in allowed_hashes: return True, "cluster-1" return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None CN = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.common_name') C = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.country') if CN is None and C and C[0] == "US": allowed_hashes = { "23468ff8bd0e196cdc4fcff56cf8eb7e", } if CSHash(cert) in allowed_hashes: return True, "Powershell Empire C2" # or APfell actually return False, None
def analyze(self, topic, data, cert): if topic != "scan": return False, None CN = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.common_name') OU = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.organizational_unit') EMAIL = deep_get(data, 'data.tls.result.handshake_log.server_certificates.certificate.parsed.subject.email_address') if (CN and OU and EMAIL and EMAIL[0] == OU[0] + "@" + CN[0]): allowed_hashes = { "b432fd10cb96cd7c0d6d07d8ad2afd73", } if CSHash(cert) in allowed_hashes: return True, "Metasploit C2" return False, None