Patrick-Kelley
commented
2 years ago Apologies for just seeing this.
Yes, the feed that included that artifact has a high-rate for false positives. I've commented out the line that spins it up. I'll work on a better solution in coming days.
Hello, I have found www.amazon.com and www.youtube.com being flagged as cobaltstrike domains. Is it false positive? What does meta.do_notice mean, in all intel files they are F. Thanks source in: cps_cobaltstrike_domain.intel
www.youtube.com Intel::DOMAIN CobaltStrike F C2 amazon.com Intel::DOMAIN CobaltStrike F C2