Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/06"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/16"
8
9[rule]
10author = ["Elastic"]
11description = """
12Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
13exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
14command and control.
15"""
16false_positives = [
17 """
18 This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is
19 expected.
20 """,
21]
22from = "now-9m"
23index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
24language = "lucene"
25license = "Elastic License v2"
26name = "Cobalt Strike Command and Control Beacon"
27note = """## Threat intel
28
29This activity has been observed in FIN7 campaigns."""
30references = [
31 "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
32 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
33 "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
34]
35risk_score = 73
36rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
37severity = "high"
38tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43((event.category: (network OR network_traffic) AND type: (tls OR http))
44 OR event.dataset: (network_traffic.tls OR network_traffic.http)
45) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1071"
53name = "Application Layer Protocol"
54reference = "https://attack.mitre.org/techniques/T1071/"
55
56[[rule.threat.technique]]
57id = "T1568"
58name = "Dynamic Resolution"
59reference = "https://attack.mitre.org/techniques/T1568/"
60[[rule.threat.technique.subtechnique]]
61id = "T1568.002"
62name = "Domain Generation Algorithms"
63reference = "https://attack.mitre.org/techniques/T1568/002/"
64
65
66
67[rule.threat.tactic]
68id = "TA0011"
69name = "Command and Control"
70reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
This activity has been observed in FIN7 campaigns.
References
-
Morphisec Lab identified a new fileless attack campaign targeting restaurants across the US, most likely perpetrated by FIN7. It uses some never before seen evasive techniques that allow it to bypass most security solutions.
Read More -
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not...
Read More -
Related rules
- Halfbaked Command and Control Beacon
- Accepted Default Telnet Port Connection
- Default Cobalt Strike Team Server Certificate
- IPSEC NAT Traversal Port Activity
- RDP (Remote Desktop Protocol) from the Internet