From a465f2722f55fcf8979afe24ebbed58f3dcd4cc4 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 24 Mar 2021 11:29:05 +0100
Subject: [PATCH] refactor: CobaltStrike beacon rule

---
 rules/network/net_mal_dns_cobaltstrike.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index 666f7c72b..bc1cf186f 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -4,16 +4,18 @@ status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 author: Florian Roth
 date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
 references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 logsource:
     category: dns
 detection:
     selection:
-        query:
-            - 'aaa.stage.*' 
-            - 'post.1*'
+        query|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+            - 'www6.'
     condition: selection
 falsepositives:
     - Unknown