refactor: CobaltStrike beacon rule

rules/network/net_mal_dns_cobaltstrike.yml

@@ -4,16 +4,18 @@ status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 author: Florian Roth
 date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
 references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 logsource:
     category: dns
 detection:
     selection:
-        query:
-            - 'aaa.stage.*' 
-            - 'post.1*'
+        query|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+            - 'www6.'
     condition: selection
 falsepositives:
     - Unknown