cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/MultipleDataSources/CobaltDNSBeacon.txt
27lines · modecode
6 years ago
| 1 | //Name: Cobalt Strike DNS Beaconing |
| 2 | // |
| 3 | //Description: Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an //environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. |
| 4 | //This is based out of sigma rules described here: //https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml |
| 5 | // |
| 6 | // Id: dde206fc-3f0b-4175-bb5d-42d2aae9d4c9 |
| 7 | // |
| 8 | // DataSource: Syslog, VMConnection , DnsEvents |
| 9 | // |
| 10 | // Tactics: #CommandAndControl |
| 11 | // |
| 12 | (union isfuzzy=true |
| 13 | ( |
| 14 | DnsEvents |
| 15 | | where TimeGenerated >= ago(1d) |
| 16 | | where Name has "aaa.stage." or Name has "post.1" |
| 17 | | extend Domain = Name, SourceIP = ClientIP , DestinationIp = IPAddresses |
| 18 | | extend IPCustomEntity = IPAddresses |
| 19 | ), |
| 20 | ( |
| 21 | VMConnection |
| 22 | | where TimeGenerated >= ago(1d) |
| 23 | | where isnotempty(RemoteDnsCanonicalNames) |
| 24 | | parse RemoteDnsCanonicalNames with * '["' DNSName '"]' * |
| 25 | | where DNSName has "aaa.stage." or DNSName has "post.1" |
| 26 | | extend Domain = DNSName |
| 27 | )) |