IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Possible Consent Grant Attack via Azure-Registered Application Possible Okta DoS Attack »

› › ›

Possible FIN7 DGA Command and Control Behavior

edit

Possible FIN7 DGA Command and Control Behavior

edit

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target’s network.

Rule type: query

Rule indices:

auditbeat-*
filebeat-*
packetbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

Tags:

Elastic
Network
Threat Detection
Command and Control
Host

Version: 6 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

This rule could identify benign domains that are formatted similarly to FIN7’s command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.

Investigation guide

edit

## Triage and analysis

In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.

Rule query

edit

event.category:(network OR network_traffic) AND type:(tls OR http) AND
network.transport:tcp AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT
destination.domain:zoom.us

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/

Rule version history

edit

Version 6 (7.14.0 release)

Updated query, changed from:

event.category:(network OR network_traffic) AND type:(tls OR http) AND
network.transport:tcp AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT
destination.domain:zoom.us

Version 5 (7.13.0 release)

Formatting only

Version 4 (7.12.0 release)

Formatting only

Version 3 (7.11.2 release)

Formatting only

Version 2 (7.11.0 release)

Formatting only

« Possible Consent Grant Attack via Azure-Registered Application Possible Okta DoS Attack »