Cobalt Strike Command and Control Beacon

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/07/06"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
 11exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
 12command and control.
 13"""
 14false_positives = [
 15    """
 16    This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is
 17    expected.
 18    """,
 19]
 20from = "now-9m"
 21index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
 22language = "lucene"
 23license = "Elastic License v2"
 24name = "Cobalt Strike Command and Control Beacon"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Cobalt Strike Command and Control Beacon
 31
 32Cobalt Strike is a penetration testing tool often repurposed by attackers for malicious activities, particularly for establishing command and control (C2) channels. Adversaries exploit its beaconing feature to communicate with compromised systems using common protocols like HTTP or TLS. The detection rule identifies suspicious network patterns, such as specific domain naming conventions, indicative of Cobalt Strike's C2 activity, helping analysts pinpoint potential threats.
 33
 34### Possible investigation steps
 35
 36- Review the alert details to identify the specific domain that triggered the rule, focusing on the pattern [a-z]{3}.stage.[0-9]{8}\\..* to determine if it matches known malicious domains.
 37- Analyze the network traffic logs associated with the alert, specifically looking at events categorized under network or network_traffic with types tls or http, to gather more context about the communication.
 38- Investigate the source IP address and destination domain involved in the alert to determine if they have been associated with previous malicious activities or are listed in threat intelligence databases.
 39- Examine the timeline of the network activity to identify any patterns or anomalies that could indicate a larger campaign or coordinated attack.
 40- Check for any related alerts or incidents in the security information and event management (SIEM) system that might provide additional context or indicate a broader compromise.
 41- Assess the affected endpoint for any signs of compromise, such as unusual processes or connections, to determine if further containment or remediation actions are necessary.
 42
 43### False positive analysis
 44
 45- Legitimate software updates or patch management systems may use similar domain naming conventions. Review and whitelist known update servers to prevent false alerts.
 46- Internal development or testing environments might mimic Cobalt Strike's domain patterns for legitimate purposes. Identify and exclude these environments from the rule.
 47- Automated scripts or tools that generate network traffic with similar domain structures can trigger false positives. Monitor and document these tools, then create exceptions for their activity.
 48- Some content delivery networks (CDNs) might use domain patterns that match the rule's criteria. Verify and exclude trusted CDNs to reduce unnecessary alerts.
 49- Regularly review and update the list of exceptions to ensure that only verified non-threatening behaviors are excluded, maintaining the rule's effectiveness.
 50
 51### Response and remediation
 52
 53- Isolate the affected systems immediately to prevent further communication with the Cobalt Strike C2 server. This can be done by disconnecting the network or using network segmentation techniques.
 54- Conduct a thorough forensic analysis of the compromised systems to identify the extent of the breach and any additional payloads or backdoors that may have been installed.
 55- Remove any identified Cobalt Strike beacons or related malware from the affected systems using updated antivirus or endpoint detection and response (EDR) tools.
 56- Change all credentials and access tokens that may have been exposed or used on the compromised systems to prevent unauthorized access.
 57- Monitor network traffic for any signs of re-infection or communication attempts with known Cobalt Strike C2 domains, using updated threat intelligence feeds.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.
 59- Implement network-level controls, such as blocking known malicious domains and IP addresses associated with Cobalt Strike, to prevent future attacks.
 60
 61## Threat intel
 62
 63This activity has been observed in FIN7 campaigns."""
 64references = [
 65    "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
 66    "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
 67    "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
 68]
 69risk_score = 73
 70rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
 71severity = "high"
 72tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Resources: Investigation Guide"]
 73timestamp_override = "event.ingested"
 74type = "query"
 75
 76query = '''
 77((event.category: (network OR network_traffic) AND type: (tls OR http))
 78    OR event.dataset: (network_traffic.tls OR network_traffic.http)
 79) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
 80'''
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1071"
 87name = "Application Layer Protocol"
 88reference = "https://attack.mitre.org/techniques/T1071/"
 89
 90[[rule.threat.technique]]
 91id = "T1568"
 92name = "Dynamic Resolution"
 93reference = "https://attack.mitre.org/techniques/T1568/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1568.002"
 96name = "Domain Generation Algorithms"
 97reference = "https://attack.mitre.org/techniques/T1568/002/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0011"
103name = "Command and Control"
104reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Cobalt Strike Command and Control Beacon

Cobalt Strike is a penetration testing tool often repurposed by attackers for malicious activities, particularly for establishing command and control (C2) channels. Adversaries exploit its beaconing feature to communicate with compromised systems using common protocols like HTTP or TLS. The detection rule identifies suspicious network patterns, such as specific domain naming conventions, indicative of Cobalt Strike's C2 activity, helping analysts pinpoint potential threats.

Possible investigation steps

  • Review the alert details to identify the specific domain that triggered the rule, focusing on the pattern [a-z]{3}.stage.[0-9]{8}..* to determine if it matches known malicious domains.
  • Analyze the network traffic logs associated with the alert, specifically looking at events categorized under network or network_traffic with types tls or http, to gather more context about the communication.
  • Investigate the source IP address and destination domain involved in the alert to determine if they have been associated with previous malicious activities or are listed in threat intelligence databases.
  • Examine the timeline of the network activity to identify any patterns or anomalies that could indicate a larger campaign or coordinated attack.
  • Check for any related alerts or incidents in the security information and event management (SIEM) system that might provide additional context or indicate a broader compromise.
  • Assess the affected endpoint for any signs of compromise, such as unusual processes or connections, to determine if further containment or remediation actions are necessary.

False positive analysis

  • Legitimate software updates or patch management systems may use similar domain naming conventions. Review and whitelist known update servers to prevent false alerts.
  • Internal development or testing environments might mimic Cobalt Strike's domain patterns for legitimate purposes. Identify and exclude these environments from the rule.
  • Automated scripts or tools that generate network traffic with similar domain structures can trigger false positives. Monitor and document these tools, then create exceptions for their activity.
  • Some content delivery networks (CDNs) might use domain patterns that match the rule's criteria. Verify and exclude trusted CDNs to reduce unnecessary alerts.
  • Regularly review and update the list of exceptions to ensure that only verified non-threatening behaviors are excluded, maintaining the rule's effectiveness.

Response and remediation

  • Isolate the affected systems immediately to prevent further communication with the Cobalt Strike C2 server. This can be done by disconnecting the network or using network segmentation techniques.
  • Conduct a thorough forensic analysis of the compromised systems to identify the extent of the breach and any additional payloads or backdoors that may have been installed.
  • Remove any identified Cobalt Strike beacons or related malware from the affected systems using updated antivirus or endpoint detection and response (EDR) tools.
  • Change all credentials and access tokens that may have been exposed or used on the compromised systems to prevent unauthorized access.
  • Monitor network traffic for any signs of re-infection or communication attempts with known Cobalt Strike C2 domains, using updated threat intelligence feeds.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.
  • Implement network-level controls, such as blocking known malicious domains and IP addresses associated with Cobalt Strike, to prevent future attacks.

Threat intel

This activity has been observed in FIN7 campaigns.

References

Related rules

to-top