security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml
T
frack113 ec7319be21 Name Normalization 
Name Normalization
2022-02-27 07:39:46 +01:00

30 lines
804 B
YAML
Raw Blame History

title: Suspicious Cobalt Strike DNS Beaconing
id: f356a9c4-effd-4608-bbf8-408afd5cd006
status: experimental
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
author: Florian Roth
date: 2021/11/09
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
QueryName|contains: '.stage.123456.'
condition: 1 of selection*
fields:
- Image
- CommandLine
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink