-
|
Hey, I'm trying to fully understand the following rule's logic: The rule lists 3 UAs (IE 7,10) and a UA suffix. Usage of Cobalt Strike doesn't require using these necessarily reference. What led to choosing the used logic in this rule ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hey @orionova You're correct, CS doesn't require the usage of these UA as you can use any. The rule is using a real life example of profiles from the GH repo linked as a reference in the rule (at the time of the writing). Hence they are suspicious and could catch a subset of what's possible. |
Beta Was this translation helpful? Give feedback.
Hey @orionova
You're correct, CS doesn't require the usage of these UA as you can use any. The rule is using a real life example of profiles from the GH repo linked as a reference in the rule (at the time of the writing).
Hence they are suspicious and could catch a subset of what's possible.