Suspicious Cobalt Strike DNS Beaconing - DNS Client

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Sigma rule (View on GitHub)

 1title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
 2id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
 3related:
 4    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
 5      type: similar
 6status: test
 7description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
 8references:
 9    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
10    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/01/16
13tags:
14    - attack.command_and_control
15    - attack.t1071.004
16logsource:
17    product: windows
18    service: dns-client
19    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
20detection:
21    selection_eid:
22        EventID: 3008
23    selection_query_1:
24        QueryName|startswith:
25            - 'aaa.stage.'
26            - 'post.1'
27    selection_query_2:
28        QueryName|contains: '.stage.123456.'
29    condition: selection_eid and 1 of selection_query_*
30falsepositives:
31    - Unknown
32level: critical

References

Related rules

to-top