Possible FIN7 DGA Command and Control Behavior

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target’s network.

Rule type: query

Rule indices:

auditbeat-*
filebeat-*
packetbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

Tags:

Elastic
Network
Threat Detection
Command and Control
Host

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Triage and analysis

In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.

Rule query

edit

event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp
AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
Technique:
- Name: Dynamic Resolution
- ID: T1568
- Reference URL: https://attack.mitre.org/techniques/T1568/
Sub-technique:
- Name: Domain Generation Algorithms
- ID: T1568.002
- Reference URL: https://attack.mitre.org/techniques/T1568/002/

« Roshal Archive (RAR) or PowerShell File Downloaded from the Internet Halfbaked Command and Control Beacon »