diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index 666f7c72b..bc1cf186f 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -4,16 +4,18 @@ status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 author: Florian Roth
 date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
 references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 logsource:
     category: dns
 detection:
     selection:
-        query:
-            - 'aaa.stage.*' 
-            - 'post.1*'
+        query|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+            - 'www6.'
     condition: selection
 falsepositives:
     - Unknown