Cobalt Strike DNS Beaconing

 1title: Cobalt Strike DNS Beaconing
 2id: 2975af79-28c4-4d2f-a951-9095f229df29
 3status: test
 4description: Detects suspicious DNS queries known from Cobalt Strike beacons
 5references:
 6    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
 7    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 8author: Florian Roth (Nextron Systems)
 9date: 2018-05-10
10modified: 2022-10-09
11tags:
12    - attack.command-and-control
13    - attack.t1071.004
14logsource:
15    category: dns
16detection:
17    selection1:
18        query|startswith:
19            - 'aaa.stage.'
20            - 'post.1'
21    selection2:
22        query|contains: '.stage.123456.'
23    condition: 1 of selection*
24falsepositives:
25    - Unknown
26level: critical

References

• https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns

  
  Read More

• Hunting and detecting Cobalt Strike

  

  In this blogpost, we describe step by step how to ensure a proactive and defensive posture against Cobalt Strike.

  
  Read More

Related rules

• DNS Exfiltration and Tunneling Tools Execution
• DNS TXT Answer with Possible Execution Strings
• OilRig APT Activity
• OilRig APT Registry Persistence
• OilRig APT Schedule Task Persistence - Security