high
threat
Cobalt Strike Command and Control Beacon Detected
2 rules 2 TTPsThis brief documents the detection of Cobalt Strike command and control activity through identifying specific domain naming conventions used by its implant beacons, indicative of network attack and exploitation campaigns.
packetbeat +2
FIN7
+2
command-and-control
cobalt-strike
domain-generation-algorithm
2r
2t
high
threat
Non-Chrome Process Accessing Chrome Default Directory
2 rules 1 TTPDetection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.
Splunk Enterprise +2
FIN7
+2
credential-access
threat-type
windows
2r
1t
high
threat
FIN7 DGA Command and Control Behavior Detection
3 rules 2 TTPsThis rule detects command and control activity associated with the FIN7 threat group, which is known to use domain generation algorithms (DGA) to maintain persistence in their target's network by identifying network traffic using TLS or HTTP protocols to domains with a specific pattern.
FIN7
+2
command-and-control
dga
network_traffic
3r
2t