From 8caf897a732306ff755ab3b174b7bb70aa9a41b0 Mon Sep 17 00:00:00 2001 From: Andrew Pease <7442091+peasead@users.noreply.github.com> Date: Wed, 30 Sep 2020 17:58:24 -0500 Subject: [PATCH] [New Rule] Cobalt Strike Beacon (#21) --- ...mand_and_control_cobalt_strike_beacon.toml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/network/command_and_control_cobalt_strike_beacon.toml diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml new file mode 100644 index 000000000..e0c111252 --- /dev/null +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2020/07/06" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/07/06" + +[rule] +author = ["Elastic"] +description = """ +Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and +exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for +command and control. +""" +false_positives = [ + """ + This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is + expected. + """, +] +index = ["packetbeat-*"] +language = "lucene" +license = "Elastic License" +name = "Cobalt Strike Command and Control Beacon" +note = "This activity has been observed in FIN7 campaigns." +references = [ + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", +] +risk_score = 73 +rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" +severity = "high" +tags = ["Elastic", "Network"] +type = "query" + +query = ''' +event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[[rule.threat.technique]] +id = "T1483" +name = "Domain Generation Algorithms" +reference = "https://attack.mitre.org/techniques/T1483/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/"