Halfbaked Command and Control Beacon
Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/06"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/16"
8
9[rule]
10author = ["Elastic"]
11description = """
12Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity
13algorithm leveraged by Halfbaked implant beacons for command and control.
14"""
15false_positives = [
16 """
17 This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is
18 expected.
19 """,
20]
21from = "now-9m"
22index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
23language = "lucene"
24license = "Elastic License v2"
25name = "Halfbaked Command and Control Beacon"
26note = """## Threat intel
27
28This activity has been observed in FIN7 campaigns."""
29references = [
30 "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
31 "https://attack.mitre.org/software/S0151/",
32]
33risk_score = 73
34rule_id = "2e580225-2a58-48ef-938b-572933be06fe"
35severity = "high"
36tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41(event.dataset: (network_traffic.tls OR network_traffic.http) OR
42 (event.category: (network OR network_traffic) AND network.protocol: http)) AND
43 network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND
44 destination.port:(53 OR 80 OR 8080 OR 443)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1071"
52name = "Application Layer Protocol"
53reference = "https://attack.mitre.org/techniques/T1071/"
54
55[[rule.threat.technique]]
56id = "T1568"
57name = "Dynamic Resolution"
58reference = "https://attack.mitre.org/techniques/T1568/"
59[[rule.threat.technique.subtechnique]]
60id = "T1568.002"
61name = "Domain Generation Algorithms"
62reference = "https://attack.mitre.org/techniques/T1568/002/"
63
64
65
66[rule.threat.tactic]
67id = "TA0011"
68name = "Command and Control"
69reference = "https://attack.mitre.org/tactics/TA0011/"
Threat intel
This activity has been observed in FIN7 campaigns.
References
-
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not...
Read More -
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell HALFBAKED can execute PowerShell scripts.[1] Enterprise T1070 .004 Indicator Removal: File Deletion HALFBAKED can delete a specif...
Read More
Related rules
- Cobalt Strike Command and Control Beacon
- Accepted Default Telnet Port Connection
- Default Cobalt Strike Team Server Certificate
- IPSEC NAT Traversal Port Activity
- RDP (Remote Desktop Protocol) from the Internet