security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Possible FIN7 Command and Control Behavior (#28)

Browse Source
This commit is contained in:
Andrew Pease
2020-09-30 18:26:13 -05:00
committed by GitHub
parent d68e4ac7f0
commit faeac00465
1 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/command_and_control_fin7_c2_behavior.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2020/07/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/07/07"
[rule]
author = ["Elastic"]
description = """
This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this
command and control technique, while maintaining persistence in their target's network.
"""
false_positives = [
"""
This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts
should be investigated by an analyst to assess the validity of the individual observations.
""",
]
index = ["packetbeat-*"]
language = "lucene"
license = "Elastic License"
name = "Possible FIN7 DGA Command and Control Behavior"
note = "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`."
references = [
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
]
risk_score = 73
rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
severity = "high"
tags = ["Elastic", "Network"]
type = "query"
query = '''
event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp
AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1483"
name = "Domain Generation Algorithms"
reference = "https://attack.mitre.org/techniques/T1483/"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"