//Name: Cobalt Strike DNS Beaconing
//
//Description: Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike To compromise an //environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons.
//This is based out of sigma rules described here: //https://github.com/Neo23x0/sigma/blob/master/rules/network/net_mal_dns_cobaltstrike.yml
//
// Id: dde206fc-3f0b-4175-bb5d-42d2aae9d4c9
//
// DataSource: Syslog, VMConnection , DnsEvents
//
// Tactics: #CommandAndControl
//
(union isfuzzy=true
(
DnsEvents
| where TimeGenerated >= ago(1d)
| where Name has "aaa.stage." or Name has "post.1"
| extend Domain = Name, SourceIP = ClientIP , DestinationIp = IPAddresses
| extend IPCustomEntity = IPAddresses
),
(
VMConnection
| where TimeGenerated >= ago(1d)
| where isnotempty(RemoteDnsCanonicalNames)
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
| where DNSName has "aaa.stage." or DNSName has "post.1"
| extend Domain = DNSName
))cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/MultipleDataSources/CobaltDNSBeacon.txt
27lines · modepreview
6 years ago