Suspicious Cobalt Strike DNS Beaconing - DNS Client

Severity: critical
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071.004` Application Layer Protocol: DNS

Event coverage

Provider	Event ID	Title
DNS-Client	3008	DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.

Stages and Predicates

Stage 1: `selection_eid`

Stage 2: `1 of selection_query_1`

or:
QueryName|startswith: aaa.stage.
QueryName|startswith: post.1

Stage 3: `1 of selection_query_2`

QueryName|contains: .stage.123456.

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`QueryName`	match	`.stage.123456.` corpus 2 (sigma 2)
`QueryName`	starts_with	`aaa.stage.` corpus 2 (sigma 2) `post.1` corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

DNS Query for Anonfiles.com Domain - DNS Client [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
DNS Query To MEGA Hosting Website - DNS Client [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
DNS Query To Put.io - DNS Client [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Query Tor Onion Address - DNS Client [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
DNS Query To Ufile.io - DNS Client [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)