Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
Sigma rule (View on GitHub)
1title: Cobalt Strike DNS Beaconing
2id: 2975af79-28c4-4d2f-a951-9095f229df29
3status: test
4description: Detects suspicious DNS queries known from Cobalt Strike beacons
5references:
6 - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
7 - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
8author: Florian Roth (Nextron Systems)
9date: 2018/05/10
10modified: 2022/10/09
11tags:
12 - attack.command_and_control
13 - attack.t1071.004
14logsource:
15 category: dns
16detection:
17 selection1:
18 query|startswith:
19 - 'aaa.stage.'
20 - 'post.1'
21 selection2:
22 query|contains: '.stage.123456.'
23 condition: 1 of selection*
24falsepositives:
25 - Unknown
26level: critical
References
Related rules
- Suspicious Cobalt Strike DNS Beaconing - DNS Client
- Suspicious Cobalt Strike DNS Beaconing - Sysmon
- Suspicious DNS Query with B64 Encoded String
- DNS Query From Process with Double File Extension
- Download by Process with Double File Extension