kqlElastic-2.0from elastic/detection-rules
Possible FIN7 DGA Command and Control Behavior
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/network/command_and_control_fin7_c2_behavior.toml
(data_stream.dataset: (network_traffic.tls OR network_traffic.http) OR
(event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us