[metadata] creation_date = "2020/07/06" integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/10/16" [rule] author = ["Elastic"] description = """ Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. """ false_positives = [ """ This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected. """, ] from = "now-9m" index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] language = "lucene" license = "Elastic License v2" name = "Cobalt Strike Command and Control Beacon" note = """## Threat intel This activity has been observed in FIN7 campaigns.""" references = [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack", ] risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" severity = "high" tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" query = ''' ((event.category: (network OR network_traffic) AND type: (tls OR http)) OR event.dataset: (network_traffic.tls OR network_traffic.http) ) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" [[rule.threat.technique]] id = "T1568" name = "Dynamic Resolution" reference = "https://attack.mitre.org/techniques/T1568/" [[rule.threat.technique.subtechnique]] id = "T1568.002" name = "Domain Generation Algorithms" reference = "https://attack.mitre.org/techniques/T1568/002/" [rule.threat.tactic] id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/"