Possible FIN7 DGA Command and Control Behavior

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-07-06

About

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.

Tags

Use Case: Threat DetectionTactic: Command and ControlDomain: EndpointData Source: PAN-OSLanguage: lucene

Severity

high

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

↳ Dynamic Resolution (T1568)(opens in a new tab or window)

False Positive Examples

This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

packetbeat-*auditbeat-*filebeat-*logs-network_traffic.*logs-panw.panos*

Related Integrations

network_traffic(opens in a new tab or window)

panw(opens in a new tab or window)

Query

(event.dataset: (network_traffic.tls OR network_traffic.http) OR
    (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us

Install detection rules in Elastic Security

Detect Possible FIN7 DGA Command and Control Behavior in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).