Merge pull request #2243 from SigmaHQ/rule-devel

CobaltStrike DNS beaconing, some FP fixes
2021-11-11 17:21:33 +01:00
parent 8b419b8f07 b61e92ae1d
commit 791736cb3e
6 changed files with 43 additions and 5 deletions
@@ -11,11 +11,13 @@ references:
 logsource:
    category: dns
 detection:
-    selection:
+    selection1:
        query|startswith:
            - 'aaa.stage.' 
            - 'post.1'
-    condition: selection
+    selection2:
+        query|contains: '.stage.123456.'
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: critical
@@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a
 related:
    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
      type: derived
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references"
+references: 
+    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
 status: experimental
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2021/04/19
+modified: 2021/11/09
 references:
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
@@ -53,6 +53,9 @@ detection:
            - '\minionhost.exe'  # Cyberreason
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\thor64.exe'      # THOR
+            - '\MicrosoftEdgeUpdate.exe'
+            - '\GamingServices.exe'
+            - '\svchost.exe'
        ProcessName|startswith:
            - C:\Windows\System32\
            - C:\Windows\SysWow64\
@@ -0,0 +1,30 @@
+title: Suspicious Cobalt Strike DNS Beaconing
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+status: experimental
+description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
+author: Florian Roth
+date: 2021/11/09
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection1:
+        QueryName|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+    selection2:
+        QueryName|contains: '.stage.123456.'
+    condition: 1 of them
+fields:
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: critical
@@ -6,7 +6,7 @@ references:
    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 author: Florian Roth, Max Altgelt
 date: 2021/07/14
-modified: 2021/08/10
+modified: 2021/11/11
 tags:
    - attack.execution
 logsource:
@@ -32,6 +32,7 @@ detection:
            - ' >'
            - 'Out-File'
            - 'ConvertTo-Json'
+            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user
    condition: selection and not filter
 falsepositives:
    - Administrative scripts