Cobalt Strike Command and Control Beacon

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-07-06

About

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Tags

Use Case: Threat DetectionTactic: Command and ControlDomain: EndpointLanguage: lucene

Severity

high

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

↳ Dynamic Resolution (T1568)(opens in a new tab or window)

False Positive Examples

This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: packetbeat-*auditbeat-*filebeat-*logs-network_traffic.*
Related Integrations: network_traffic(opens in a new tab or window)
Query

((event.category: (network OR network_traffic) AND type: (tls OR http))
    OR event.dataset: (network_traffic.tls OR network_traffic.http)
) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/

Install detection rules in Elastic Security

Detect Cobalt Strike Command and Control Beacon in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).