Suspicious Cobalt Strike DNS Beaconing - Sysmon

Severity: critical
Author: Florian Roth (Nextron Systems)
Source: upstream

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071.004` Application Layer Protocol: DNS

Event coverage

Provider	Event ID	Title
Sysmon	22	DNSEvent (DNS query)

Stages and Predicates

Stage 1: `1 of selection1`

or:
QueryName|startswith: aaa.stage.
QueryName|startswith: post.1

Stage 2: `1 of selection2`

QueryName|contains: .stage.123456.

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`QueryName`	match	`.stage.123456.` corpus 2 (sigma 2)
`QueryName`	starts_with	`aaa.stage.` corpus 2 (sigma 2) `post.1` corpus 2 (sigma 2)