Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Sigma rule (View on GitHub)
1title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
2id: f356a9c4-effd-4608-bbf8-408afd5cd006
3related:
4 - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
5 type: similar
6status: test
7description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
8references:
9 - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
10 - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
11author: Florian Roth (Nextron Systems)
12date: 2021-11-09
13modified: 2023-01-16
14tags:
15 - attack.command-and-control
16 - attack.t1071.004
17logsource:
18 product: windows
19 category: dns_query
20detection:
21 selection1:
22 QueryName|startswith:
23 - 'aaa.stage.'
24 - 'post.1'
25 selection2:
26 QueryName|contains: '.stage.123456.'
27 condition: 1 of selection*
28falsepositives:
29 - Unknown
30fields:
31 - Image
32 - CommandLine
33level: critical
References
-
In this blogpost, we describe step by step how to ensure a proactive and defensive posture against Cobalt Strike.
Read More
Related rules
- Cobalt Strike DNS Beaconing
- DNS Exfiltration and Tunneling Tools Execution
- DNS TXT Answer with Possible Execution Strings
- OilRig APT Activity
- OilRig APT Registry Persistence