security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

34 lines
919 B
YAML
Raw Blame History

title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
- id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021/11/09
modified: 2023/01/16
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
QueryName|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
fields:
- Image
- CommandLine
level: critical
Reference in New Issue View Git Blame Copy Permalink