Follow

Cognito Recall - Custom Model descriptions

The table below offers a description of each saved search that can be found in cognito Recall dashboards, along with more detailed links for further reading where relevant. 

Cognito - TTP - RDP - Possible Nmap Framework Detected Detects the presence of the Nmap framework on the network that is using the RDP protocol.

Custom Model

Description

Further Reading

Cognito - TTP - SSL - Potential Cobaltstrike Malleable C2 Meterpreter

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - iSession - Metasploit Download

This search is designed to show hosts downloading Metasploit by looking for connections to the download pages for the framework. 

 

Cognito - TTP - HTTP - Watson Application Crash

Finds all HTTP error reports sent to the Microsoft Dr. Watson service. This can point to an increase in crashing applications and track if any specific servers are facing application crashes frequently.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Hancitor Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - VSA - Cloud Storage

Detects connections to cloud storage apps from your network and groups them by service. This enables you to spot if an unauthorized cloud storage application is in use.

 

Cognito - TTP - SMB - Potential Posh C2 Fcomm implant file

This model is designed to find the Nettitude Posh C2 FComm lateral movement default communication file

https://labs.nettitude.com/blog/introducing-fcomm-c2-lateral-movement/.

Cognito - Compliance - SMB - Internal Host Accessed Externally Over SMB

Finds an internal host responding to an external request over SMB.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Quantloader

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - DNS - Shadowpad Trojan Domains

Finds all DNS queries to known domains that are part of the Shadowpad Trojan campaign.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/ShadowPad.A

Cognito - TTP - HTTP - Potential Cobaltstrike Malleable C2 StringOfPearls

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Xorist Ransomware Known Domain

Finds all HTTP sessions involving known domains of the Xorist ransomware

https://www.malware-traffic-analysis.net/2018/05/08/index2.html

Cognito - Compliance - x509 - Self Issued Certificate Recently Generated

Finds all requests run with an x509 certificate which was recently generated. Recently generated self signed certificates can be a signal of malicious intent.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Qakbot

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - Detect - isession - Smash and Grab

Suggested search structure for investigating Smash and Grab detections. Not intended for use with Notifications

 

Cognito - Compliance - SMB outbound to external destination.

This search finds outbound connections to hosts where the port is 445, and the service is SMB, this is a compliance issue as outbound SMB connections can cause leak of credentials. 

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Emotet

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Jasperloader

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Password File Query

Finds all HTTP activity which attempts to access a password file directly by its path in a query. This can point to a http request which is being altered to attempt to access a restricted file on the server.

 

Cognito - Detect - isession - External Remote Access

Suggested search structure for investigating External Remote Access detections. Not intended for use with Notifications

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 UrsnifICEID Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Possible Exploit Framework Detected

Detects the presence of common exploit frameworks on the network over HTTP connections.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Hancitor

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Possible Metasploit Framework Detected

Detects the presence of the Metasploit framework on the network over HTTP connections.

 

Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original Stager

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups. Source:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

 

Cognito - TTP - ICMP - Potential ICMP Exfil

This search finds connections of outbound ICMP ping which have a size and time frame which is indicative of overly large ICMP data structures. This implies that the host is performing ICMP exfiltration. 

 

Cognito - Compliance - x509 - Certificate expiring next 30 days

Find instances of in-use certificates expiring in the next 30 days

 

Cognito TTP - iSession - APT29 Solar Storm Campaign C2 IP

This custom model will show activity towards the IP addresses used in the APT29 Solar Storm campaign, referenced here: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

 

Cognito - Detect - HTTP - Hidden HTTP Tunnel (Exfil)

Suggested search structure for investigating Hidden HTTP Tunnel (Exfil) detections. Not intended for use with Notifications

 

Cognito - Compliance - RDP - Unencrypted RDP

This search shows when an RDP session has been connected as unencrypted. This can be a compliance issue, as unencrypted RDP should be avoided where possible. 

 

Cognito - TTP - SMB - EternalBlue Payload

This custom recall model looks for the payload for EternalBlue. Look for multiple entries coming from the same id.orig_h IP.

https://en.wikipedia.org/wiki/EternalBlue

Cognito - VSA - NetBIOS and LLMNR Usage

Finds instances of the possible attempts made to gain cleartext authentication to networks by using a common NetBIOS and LLMNR exploit.

https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials

Cognito - TTP - HTTP - Potential Emotet C2

A Regex based search designed to catch Emotet C2 communications as of October 2020

 

Cognito - TTP - DNS - Wannacry Ransomware Domain

Finds all queries for known domains associated with the Wannacry ransomeware

https://www.secureworks.com/research/wcry-ransomware-analysis

Cognito - Detect - SSL - Hidden HTTPS Tunnel (Exfil)

Suggested search structure for investigating Hidden HTTPS Tunnel (Exfil) detections. Not intended for use with Notifications

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Gandcrab Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - Detect - SSL - Hidden HTTPS Tunnel (C&C)

Suggested search structure for investigating Hidden HTTPS Tunnel (C&C) detections. Not intended for use with Notifications

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Ramnit Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Ramnit

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Emotet Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Jaff

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - isession - Fox Kitten Campaign

Finds all iSession traffic communicating with known Iranian APT "Fox Kitten" servers.

 

Cognito - VSA - Potential Unencrypted Web Administration

Finds instances where attempts are made to access administrative portals over unencrypted HTTP sessions, which means that authentication can be intercepted by malicious actors on the network.

 

Cognito - VSA - IPMI v2 Password Hash Disclosure

Finds instances of the Intelligent Platform Management Interface (IPMI) protocol potentially exposing password hashes.

 

Cognito - Compliance - RDP - Internal RDP Server Accessed Externally

Finds an internal RDP server responding to an external request.

 

Cognito - TTP - HTTP - Nessus Vulnerability Scanner Detected

Finds looks for the presence of the Nessus Vulnerability Scanner being used on the network.

 

Cognito - TTP - HTTP - Possible Nmap Framework Detected

Detects the presence of the Nmap framework on the network over HTTP connections.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Globeimposter

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Formbook

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - x509 - Potential Cobalt Strike Malleable APT1 C2

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobaltstrike Malleable C2 Pity tiger

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - Detect - DNS - Hidden DNS Tunnel (C&C)

Suggested search structure for investigating Hidden DNS Tunnel (C&C) detections. Not intended for use with Notifications

 

Cognito - TTP - HTTP - Kovter Trojan Known URI Elements

Finds all HTTP sessions involving known domains of Hidden Cobra's Delta Charlie attack

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

Cognito - TTP - HTTP - Possible Cobalt Strike Malleable C2 Comfoo

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - VSA - Internal SMB Accessed Externally

Finds instances where an internal server receives an SMB request from an external location, this can be a signal of a malicious actor.

 

Cognito - Detect - x509 - Certificate Curveball

Finds requests that use certificate serials associated with vulnerability CVE-2020-0601 Curveball

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0601

Cognito - TTP - HTTP - Potential Wordpress RCE Exploit CVE

This Search is designed to ecpose the RCE flaw found in the Wordpress File manager. At present this 0 day exploit has no CVE. Reference https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/

 

Cognito - PUP - HTTP - Potentially Harmful File Download

Finds all file downloads of risky file types (ex. .msi, .swf, .exe). Better understand your risk by file download activity.

 

Cognito - TTP - HTTP - Directory Traversal

Finds all HTTP activity which attempts to perform a directory traversal in a query. This can point to a http request which is being altered to attempt to access a restricted file on the server.

 

Cognito TTP - HTTP - FireEye Red Team Tools GORAT.[SID1]

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups. Source:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

 

Cognito - Compliance - isession - Unencrypted FTP and Telnet

Finds all instances where clear FTP or Telnet is being used. This greatly increases the risk of exposing credentials in the clear.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Safeko

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito TTP - HTTP - FireEye Red Team Tools NYTIMES POST

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups. Source:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

 

Cognito - TTP - SMB Files - GANDCRAB Known Ransom Note

Finds all SMB transactions involving the known GRANDCRAB ransom note

http://malware-traffic-analysis.net/2018/04/10/index.html

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 RigEK

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - SSL - Pupy Remote Access Trojan Detection

Detects the use of the Pupy Remote Access Trojan Program based off its JA3s signature.

 

Cognito TTP - HTTP - Potential Weblogic exploit CVE-2020-14882

This search is designed to catch the encoded Directory traversal and targeting of the Weblogic admin panel as seen in the RCE exploit.

 

Cognito - Compliance - SSL - Weak Server Cipher Usage

Finds all SSL/TLS sessions where my servers are using weak ciphers. It is important to check the SSL configuration being used to avoid putting in place cryptographic support which could be easily defeated.

 

Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original POST

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

Cognito - TTP - HTTP - Hancitor Infection with Azorult and Zeus Panda Banker Known Domains

Finds all HTTP sessions involving known domains of Hancitor's Azorult and Zeus Panda attacks

http://malware-traffic-analysis.net/2018/07/19/index2.html

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 xbash Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - Detect - DNS - Hidden DNS Tunnel (Exfil)

Suggested search structure for investigating Hidden DNS Tunnel (Exfil) detections. Not intended for use with Notifications

 

Cognito - Detect - HTTP - Suspicious HTTP

Suggested search structure for investigating Suspicious HTTP detections. Not intended for use with Notifications

 

Cognito - TTP - RDP - Nessus Vulnerability Scanner Detected

Detects the use of the Nessus Vulnerability Scanner on the network that is using the RDP protocol.

 

Cognito - TTP - Http - Potential Cobaltstrike Malleable C2 havex

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - Http - Potential Cobaltstrike Malleable C2 Etumbot

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Hidden Cobra Campaign TYPEFRAME Known IPs

Finds all HTTP sessions involving known domains of Hidden Cobra's TYPEFRAME attack

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity 

Cognito - TTP - HTTP - Citrix ADC Traversal Vulnerability

Find attempts to exploit known Citrix ADC vulnerability

https://support.citrix.com/article/CTX267027 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Globeimposter Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - VSA - Internal RDP Server Accessed Externally

Finds instances where an internal RDP server is accessed from an external location, this can be a signal of a malicious actor.

 

Cognito - TTP - HTTP - Potential Cobaltstrike Malleable C2 Putter

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito TTP - X509 - FireEye Red Team Tools CSBundle Ajax

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

Cognito - Compliance - HTTP - Older Versions of Mozilla

Finds HTTP sessions with user-agents that advertise versions of Mozilla older than 4.0

 

Cognito - TTP - HTTP - Hidden Cobra Campaign Delta Charlie Attack Known IPs

Finds all HTTP sessions involving known domains of Hidden Cobra's Delta Charlie attack

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

Cognito - TTP - HTTP - Maze Ransomware Known TTPs

This search finds Maze ransomware based on TTPs, periodically updated with more recent TTPs

 

Cognito - TTP - HTTP - Potential PAS WebShell targeting Centreon Systems

This model is designed to find the Incoming communications of the PAS WebShell, specifically targeting Centreon Systems.

Reference: CERTFR-2021-CTI-005 https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/ .

Cognito - Compliance - HTTP - Possible Kali Linux Detected

Finds HTTP sessions with user-agents that advertise a user running Kali Linux, which is a version of Debian Linux commonly used by penetration testers.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Safeko Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - Detect - DNS - Suspect Domain Activity

Suggested search structure for investigating Suspect Domain Activity detections. Not intended for use with Notifications.

 

Cognito - TTP - isession - Maze Known Check-in IPs

This search finds Maze ransomware based on Check In IPs, periodically updated with more recent Check In IPs

 

Cognito - TTP - SMB Files - Wannacry Known Ransom Note

Finds all SMB transactions involving the known Wannacry ransom note

https://www.secureworks.com/research/wcry-ransomware-analysis

Cognito - TTP - isession - Maze Known IPs

This search finds Maze ransomware based on C2 IPs, periodically updated with more recent C2 IPs

 

Cognito - Detect - isession - Automated Replication

Suggested search structure for investigating Automated Replication detections. Not intended for use with Notifications

 

Cognito - TTP - SSL - Possible Meterpreter Detected

Detects the presence of Meterpreter on Windows 10 connecting to Kali Linux on the network.

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 POSeidon Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - iSession - Potential Weblogic Exploit

This Search is based on the Weblogic Exploit chain which works on the T3 Protocol. It will find Outbound to Inbound connections using T3 protocol to a management interface which should not be exposed to the internet. 

 

Cognito - TTP - SSL - Possible Faction C2

This search is designed to look for the Faction C2 Certificate which would expose the use of this tool in the network. 

 

Cognito TTP - HTTP - FireEye Red Team Tools Yelp Request

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

Source:https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 UrsnifICEID

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - SSL - Possible Cobalt Strike Detected

Detects the presence of Cobalt Strike on Windows 10 connecting to Kali Linux on the network, which is a strong signal of malicious connection attempts.

https://www.cobaltstrike.com/

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Kronos

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - SMB Files - Bad Rabbit Known Usernames

Finds all SMB fileshare transactions using usernames known to be used with Bad Rabbit

https://securelist.com/bad-rabbit-ransomware/82851/

Cognito - Compliance - HTTP - Potential Unencrypted Web Administration

Finds all web sessions for administration activity that is over clear text. To improve security posture and minimize attack surface, administration should be secured especially if they are critical servers.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 xbash

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito TTP - SMB - Default Posh C2 PBind Named Pipe

This model is designed to find the Nettitude Posh C2 Default Named Pipe for the PBind lateral movement implant.

 

Cognito - VSA - SMBv1

Finds instances where SMB v1 has been used on the network. SMBv1 is an unsafe protocol, and its use should be disabled.

https://www.zdnet.com/article/windows-10-tip-stop-using-the-horribly-insecure-smbv1-protocol/

Cognito TTP - HTTP - FireEye Red Team Tools CSBundle NYTIMES GET

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Gandcrab

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - DNS - Maze Ransomware Known Domains

This search finds Maze ransomware based on known Domains, periodically updated with more recent Domains

 

Cognito - Detect - isession - Data Smuggler

Suggested search structure for investigating Data Smuggler detections. Not intended for use with Notifications

 

Cognito - Detect - HTTP - Hidden HTTP Tunnel (C&C)

Suggested search structure for investigating Hidden HTTP Tunnel (C&C) detections. Not intended for use with Notifications

 

Cognito - TTP - SMB - Malicious Tool File Copy

This search finds the copying of multiple known Red Team tools and associated files across the network using SMB. 

 

Cognito - VSA - Weak Client Cipher Usage

Finds instances where encrypted traffic is using a weak cipher, which is able to be decrypted by modern decryption techniques. These ciphers should be updated to use modern encryption ciphers.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 CV19_kodiac

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - x509 - Posh C2 default Certificate Values

This model is designed to find the Nettitude Posh C2 Default Certificate vlues for the HTTPS implant.

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Formbook Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - DNS - Bad Rabbit Domains

Finds all queries for known domains associated with Bad Rabbit

https://securelist.com/bad-rabbit-ransomware/82851/

Cognito - Compliance - isession - Time Wasting Sites

Finds all hosts consuming media content such as Netflix, Gaming, YouTube or Twitch over excessive periods of time. This can be classified as fraud, waste and abuse and can have a negative impact on the network infrastructure and/or productivity.

 

Cognito - TTP - SMB Files - Wannacry Known Ransom Extensions

Finds all SMB transactions involving the known Wannacry file extensions

https://www.secureworks.com/research/wcry-ransomware-analysis

Cognito - TTP - SSL - Possible Empire Detected

Detects the presence of Empire framework (python) on the network.

https://github.com/EmpireProject/Empire

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Trickbot

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - DNS - Parked Domains

Finds all queries for domains resolving to localhost or are not owned by Google but resolve to Google. It is not uncommon for attackers to park domain when they are not activity using it.

 

Cognito - Compliance - SSL - Weak Client Cipher Usage

Finds all SSL/TLS sessions where the client is using weak ciphers. It is important to check the SSL configuration being used to avoid putting in place cryptographic support which could be easily defeated.

 

Cognito TTP - HTTP - FireEye Red Team Tools Office POST

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Cognito - Compliance - HTTP - USB Device Potentially Plugged Into Windows OS

Detects when a request is made to Microsoft's Device Metadata service, which could signify that a new USB device has been connected

 

Cognito - TTP - SMB Files - GANDCRAB Known Ransom Extensions

Finds all SMB transactions involving known GRANDCRAB file extensions

http://malware-traffic-analysis.net/2018/04/10/index.html

Cognito TTP - HTTP - FireEye Red Team Tools CSBundle Original GET

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html .

Cognito - Compliance - x509 - Certificate Has Expired

Finds if any requests are performed with a x509 certificate that has expired. Expired certificates are a signal that a user is making insecure requests.

 

Cognito - VSA - Unencrypted FTP and Telnet

Finds instances of unencrypted FTP or Telnet activty. This activity could be intercepted by malicious actors and the credentials are sent in an unencrypted format.

 

Cognito TTP - HTTP - FireEye Red Team Tools USAToday GET

This search is designed to find use of the FireEye Red Team Tools which were recently leaked and compromised by APT groups.

https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Zloader Stager

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 POSeidon

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

Cognito TTP - HTTP - Default PoshC2 HTTP Beacon

This model is designed to find the Nettitude Posh C2 Default Beacon URIs for the HTTP implant.

 

Cognito TTP - iSession - APT29 Solar Storm Campaign C2 Domains

This custom model will show activity towards the domains used in the APT29 Solar Storm campaign.

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Cognito - TTP - SMB Files - Xorist Known Ransom Extension

Finds all SMB sessions with messages that match the known format of the Xorist ransomware.

https://www.malware-traffic-analysis.net/2018/05/08/index2.html

Cognito - TTP - HTTP - Potential Cobalt Strike Malleable C2 Taidoor

This search matches against elements of the Cobalt Strike Malleable C2 using the following elements: User Agent specific to the C2 Type, HTTP Method and Variable URI defined in the Profile

 

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.