Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/06"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/16"
8
9[rule]
10author = ["Elastic"]
11description = """
12Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
13exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
14command and control.
15"""
16false_positives = [
17 """
18 This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is
19 expected.
20 """,
21]
22from = "now-9m"
23index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
24language = "lucene"
25license = "Elastic License v2"
26name = "Cobalt Strike Command and Control Beacon"
27note = """## Threat intel
28
29This activity has been observed in FIN7 campaigns."""
30references = [
31 "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
32 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
33 "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
34]
35risk_score = 73
36rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
37severity = "high"
38tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43((event.category: (network OR network_traffic) AND type: (tls OR http))
44 OR event.dataset: (network_traffic.tls OR network_traffic.http)
45) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1071"
53name = "Application Layer Protocol"
54reference = "https://attack.mitre.org/techniques/T1071/"
55
56[[rule.threat.technique]]
57id = "T1568"
58name = "Dynamic Resolution"
59reference = "https://attack.mitre.org/techniques/T1568/"
60[[rule.threat.technique.subtechnique]]
61id = "T1568.002"
62name = "Domain Generation Algorithms"
63reference = "https://attack.mitre.org/techniques/T1568/002/"
64
65
66
67[rule.threat.tactic]
68id = "TA0011"
69name = "Command and Control"
70reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
This activity has been observed in FIN7 campaigns.
References
Related rules
- Halfbaked Command and Control Beacon
- Accepted Default Telnet Port Connection
- Default Cobalt Strike Team Server Certificate
- IPSEC NAT Traversal Port Activity
- RDP (Remote Desktop Protocol) from the Internet