Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/06"
3integration = ["network_traffic"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
11exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
12command and control.
13"""
14false_positives = [
15 """
16 This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is
17 expected.
18 """,
19]
20from = "now-9m"
21index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
22language = "lucene"
23license = "Elastic License v2"
24name = "Cobalt Strike Command and Control Beacon"
25note = """## Threat intel
26
27This activity has been observed in FIN7 campaigns."""
28references = [
29 "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
30 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
31 "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
32]
33risk_score = 73
34rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
35severity = "high"
36tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41((event.category: (network OR network_traffic) AND type: (tls OR http))
42 OR event.dataset: (network_traffic.tls OR network_traffic.http)
43) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1071"
51name = "Application Layer Protocol"
52reference = "https://attack.mitre.org/techniques/T1071/"
53
54[[rule.threat.technique]]
55id = "T1568"
56name = "Dynamic Resolution"
57reference = "https://attack.mitre.org/techniques/T1568/"
58[[rule.threat.technique.subtechnique]]
59id = "T1568.002"
60name = "Domain Generation Algorithms"
61reference = "https://attack.mitre.org/techniques/T1568/002/"
62
63
64
65[rule.threat.tactic]
66id = "TA0011"
67name = "Command and Control"
68reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
This activity has been observed in FIN7 campaigns.
References
-
Morphisec Lab identified a new fileless attack campaign targeting restaurants across the US, most likely perpetrated by FIN7. It uses some never before seen evasive techniques that allow it to bypass most security solutions.
Read More -
The combined script from Word textbox drops the following components: \Users\[user_name]\Intel\58d2a83f7778d5.36783181.vbs \Users\[user_name]\Intel\58d2a83f777942.26535794.ps1 \Users\[user_name]\In...
Read More -
Related rules
- Apple Script Execution followed by Network Connection
- Default Cobalt Strike Team Server Certificate
- Halfbaked Command and Control Beacon
- MacOS Installer Package Spawns Network Event
- Network Activity Detected via cat