Cobalt Strike Command and Control Beacon

Elastic Stack Serverless Security

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Rule type: query

Rule indices:

• auditbeat-*
• filebeat-*
• packetbeat-*
• logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• https://blog.morphisec.com/fin7-attacks-restaurant-industry
• https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
• https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack

Tags:

• Elastic
• Network
• Threat Detection
• Command and Control
• Host

Version: 101

Rule authors:

• Elastic

Rule license: Elastic License v2

This activity has been observed in FIN7 campaigns.

event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Command and Control
  • ID: TA0011
  • Reference URL: https://attack.mitre.org/tactics/TA0011/

• Technique:

  • Name: Application Layer Protocol
  • ID: T1071
  • Reference URL: https://attack.mitre.org/techniques/T1071/

• Technique:

  • Name: Dynamic Resolution
  • ID: T1568
  • Reference URL: https://attack.mitre.org/techniques/T1568/

• Sub-technique:

  • Name: Domain Generation Algorithms
  • ID: T1568.002
  • Reference URL: https://attack.mitre.org/techniques/T1568/002/