Suspicious Cobalt Strike DNS Beaconing - DNS Client

Rule Info

Name
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Reference
https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
Date
2023-01-16 00:00:00
Modified
None
Id
0d18728b-f5bf-4381-9dcf-915539fff6c2
Tags
attack.command-and-control attack.t1071.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0d18728b-f5bf-4381-9dcf-915539fff6c2

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
fix: broken logsource
2023-01-17
1c340493c
Nasreddine Bencherchali
feat: new rules and updates
2023-01-17
85fb255bc
frack113
Promotion rules (#3821)
2022-12-27
7060db3d4
frack113
Order yaml field
2022-10-25
dfdaecc52
frack113
Name Normalization
2022-02-27
ec7319be2
frack113
remove invalid tag
2022-01-19
4631d0c48
Florian Roth
refactor: change all " of them" expressions
2022-01-11
e055ec1d5
Florian Roth
CobaltStrike DNS rules
2021-11-09
39283c0ac
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022