CobaltStrike DNS rules

rules/network/net_mal_dns_cobaltstrike.yml

@@ -11,11 +11,13 @@ references:
 logsource:
     category: dns
 detection:
-    selection:
+    selection1:
         query|startswith:
             - 'aaa.stage.' 
             - 'post.1'
-    condition: selection
+    selection2:
+        query|contains: '.stage.123456.'
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: critical

rules/windows/dns_query/dns_net_mal_cobaltstrike.yml

@@ -0,0 +1,30 @@
+title: Suspicious Cobalt Strike DNS Beaconing
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+status: experimental
+description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
+author: Florian Roth
+date: 2021/11/09
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection1:
+        QueryName|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+    selection2:
+        QueryName|contains: '.stage.123456.'
+    condition: 1 of them
+fields:
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: critical