Halfbaked Command and Control Beacon
Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/06"
3integration = ["network_traffic"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity
11algorithm leveraged by Halfbaked implant beacons for command and control.
12"""
13false_positives = [
14 """
15 This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is
16 expected.
17 """,
18]
19from = "now-9m"
20index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
21language = "lucene"
22license = "Elastic License v2"
23name = "Halfbaked Command and Control Beacon"
24note = """## Threat intel
25
26This activity has been observed in FIN7 campaigns."""
27references = [
28 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
29 "https://attack.mitre.org/software/S0151/",
30]
31risk_score = 73
32rule_id = "2e580225-2a58-48ef-938b-572933be06fe"
33severity = "high"
34tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39(event.dataset: (network_traffic.tls OR network_traffic.http) OR
40 (event.category: (network OR network_traffic) AND network.protocol: http)) AND
41 network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
42 destination.port:(53 OR 80 OR 8080 OR 443)
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1071"
50name = "Application Layer Protocol"
51reference = "https://attack.mitre.org/techniques/T1071/"
52
53[[rule.threat.technique]]
54id = "T1568"
55name = "Dynamic Resolution"
56reference = "https://attack.mitre.org/techniques/T1568/"
57[[rule.threat.technique.subtechnique]]
58id = "T1568.002"
59name = "Domain Generation Algorithms"
60reference = "https://attack.mitre.org/techniques/T1568/002/"
61
62
63
64[rule.threat.tactic]
65id = "TA0011"
66name = "Command and Control"
67reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
This activity has been observed in FIN7 campaigns.
References
Related rules
- Apple Script Execution followed by Network Connection
- Cobalt Strike Command and Control Beacon
- Default Cobalt Strike Team Server Certificate
- MacOS Installer Package Spawns Network Event
- Network Activity Detected via cat