this rule could identify benign domains that are formatted similarly to fin7's command and control algorithm. alerts should be investigated by an analyst to assess the validity of the individual observations.

t1071
t1568
network
elastic

Techniques

T1071
T1568

Sample rules

Possible FIN7 DGA Command and Control Behavior

source: elastic
technicques:
- T1071
- T1568

Description

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target’s network.

Detection logic

(event.dataset: (network_traffic.tls OR network_traffic.http) OR
    (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us