Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

Suspicious Cobalt Strike DNS Beaconing - DNS Client

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 160d18728b-f5bf-4381-9dcf-915539fff6c2windows
Log Source
Windowsdns-client
ProductWindows← raw: windows
Servicedns-client← raw: dns-client

Definition

Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.

Detection Logic
Detection Logic3 selectors
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
icebrg.io
2
Resolving title…
sekoia.io
MITRE ATT&CK

Sub-techniques

T1071.004 · DNS
Related Rules
SimilarDetectioncritical

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
0d18728b-f5bf-4381-9dcf-915539fff6c2
Status
test
Level
critical
Type
Detection
Created
Mon Jan 16
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml
Raw Tags
attack.t1071.004attack.command-and-control
View on GitHub