EXPLORE
Sign In
← Back to Explore
elastichighTTP

Possible FIN7 DGA Command and Control Behavior

This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.

MITRE ATT&CK

T1071T1071.001T1568T1568.002
command-and-control

Detection Query

(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR
    (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us

Author

Elastic

Created

2020/07/06

Data Sources

PAN-OSpacketbeat-*auditbeat-*filebeat-*logs-network_traffic.*logs-panw.panos*

References

Tags

Use Case: Threat DetectionTactic: Command and ControlDomain: EndpointData Source: PAN-OSResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2020/07/06"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this
command and control technique, while maintaining persistence in their target's network.
"""
false_positives = [
    """
    This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts
    should be investigated by an analyst to assess the validity of the individual observations.
    """,
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "lucene"
license = "Elastic License v2"
name = "Possible FIN7 DGA Command and Control Behavior"
note = """## Triage and analysis

In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`."""
references = [
    "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
]
risk_score = 73
rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
severity = "high"
tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"

query = '''
(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR
    (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[[rule.threat.technique.subtechnique]]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"

[[rule.threat.technique]]
id = "T1568"
name = "Dynamic Resolution"
reference = "https://attack.mitre.org/techniques/T1568/"

[[rule.threat.technique.subtechnique]]
id = "T1568.002"
name = "Domain Generation Algorithms"
reference = "https://attack.mitre.org/techniques/T1568/002/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"