From faeac00465e9183fe5c021ef1055a8836b224ae5 Mon Sep 17 00:00:00 2001
From: Andrew Pease <7442091+peasead@users.noreply.github.com>
Date: Wed, 30 Sep 2020 18:26:13 -0500
Subject: [PATCH] [New Rule] Possible FIN7 Command and Control Behavior (#28)

---
 .../command_and_control_fin7_c2_behavior.toml | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 rules/network/command_and_control_fin7_c2_behavior.toml

diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml
new file mode 100644
index 000000000..f05596f14
--- /dev/null
+++ b/rules/network/command_and_control_fin7_c2_behavior.toml
@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2020/07/06"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/07/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this
+command and control technique, while maintaining persistence in their target's network.
+"""
+false_positives = [
+    """
+    This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts
+    should be investigated by an analyst to assess the validity of the individual observations.
+    """,
+]
+index = ["packetbeat-*"]
+language = "lucene"
+license = "Elastic License"
+name = "Possible FIN7 DGA Command and Control Behavior"
+note = "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`."
+references = [
+    "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+]
+risk_score = 73
+rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
+severity = "high"
+tags = ["Elastic", "Network"]
+type = "query"
+
+query = '''
+event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp
+AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1483"
+name = "Domain Generation Algorithms"
+reference = "https://attack.mitre.org/techniques/T1483/"
+
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+