this rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.

t1071
t1568
network
elastic

Techniques

T1071
T1568

Sample rules

Cobalt Strike Command and Control Beacon

source: elastic
technicques:
- T1071
- T1568

Description

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Detection logic

((event.category: (network OR network_traffic) AND type: (tls OR http))
    OR event.dataset: (network_traffic.tls OR network_traffic.http)
) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/