heroui logo

Cobalt Strike Command and Control Beacon

Elastic Detection Rules

View Source
Summary
This detection rule targets network traffic patterns associated with Cobalt Strike, a tool frequently utilized by attackers for command and control (C2) operations. The rule leverages specific domain naming conventions indicative of Cobalt Strike beaconing activities, allowing for identification of potential threats. Analysts should focus on suspicious patterns in traffic, particularly those involving domains that follow the regex format `[a-z]{3}.stage.[0-9]{8}\..*`, commonly utilized by Cobalt Strike implants. To support operational effectiveness, the rule must be customized to filter out known legitimate traffic sources, minimizing false positives stemming from benign software updates or internal environments imitating Cobalt Strike behaviors. Additionally, a comprehensive incident response plan is advised, including immediate isolation of infected systems, forensic analysis, and implementation of proactive network controls to thwart future C2 attempts linked to Cobalt Strike. This rule addresses significant concerns within Fin7 campaigns, which are recognized for employing Cobalt Strike in their intrusion tactics.
Categories
  • Network
  • Endpoint
Data Sources
  • Network Traffic
  • Process
  • Application Log
ATT&CK Techniques
  • T1071
  • T1568
  • T1568.002
Created: 2020-07-06