Detectioncriticaltest

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Tue Nov 09Updated Mon Jan 16f356a9c4-effd-4608-bbf8-408afd5cd006windows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Sub-techniques

T1071.004 · DNS

Related Rules

SimilarDetectioncritical

Suspicious Cobalt Strike DNS Beaconing - DNS Client

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

f356a9c4-effd-4608-bbf8-408afd5cd006

Status

test

Level

critical

Type

Detection

Created

Tue Nov 09

Modified

Mon Jan 16

Author

Florian Roth (Nextron Systems)

Path

rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml

Raw Tags

attack.command-and-controlattack.t1071.004

View on GitHub