Possible FIN7 DGA Command and Control Behavior

Elastic Stack Serverless Security

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target’s network.

Rule type: query

Rule indices:

auditbeat-*
filebeat-*
packetbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

Tags:

Elastic
Network
Threat Detection
Command and Control
Host

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

Triage and analysis

In the event this rule identifies benign domains in your environment, the destination.domain field in the rule can be modified to include those domains. Example: ...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2).

Rule query

		event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp
AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us

Framework: MITRE ATT&CKTM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
Technique:
- Name: Dynamic Resolution
- ID: T1568
- Reference URL: https://attack.mitre.org/techniques/T1568/
Sub-technique:
- Name: Domain Generation Algorithms
- ID: T1568.002
- Reference URL: https://attack.mitre.org/techniques/T1568/002/