Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Sigma rule (View on GitHub)
1title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
2id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
3related:
4 - id: f356a9c4-effd-4608-bbf8-408afd5cd006
5 type: similar
6status: test
7description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
8references:
9 - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
10 - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-16
13tags:
14 - attack.command-and-control
15 - attack.t1071.004
16logsource:
17 product: windows
18 service: dns-client
19 definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
20detection:
21 selection_eid:
22 EventID: 3008
23 selection_query_1:
24 QueryName|startswith:
25 - 'aaa.stage.'
26 - 'post.1'
27 selection_query_2:
28 QueryName|contains: '.stage.123456.'
29 condition: selection_eid and 1 of selection_query_*
30falsepositives:
31 - Unknown
32level: critical
References
-
In this blogpost, we describe step by step how to ensure a proactive and defensive posture against Cobalt Strike.
Read More
Related rules
- Cobalt Strike DNS Beaconing
- DNS Exfiltration and Tunneling Tools Execution
- DNS TXT Answer with Possible Execution Strings
- OilRig APT Activity
- OilRig APT Registry Persistence