An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Read More

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Read More

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Read More

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Read More

Detects DNS queries initiated by "Regsvr32.exe"

Read More

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Read More

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Read More

Detects DNS queries for subdomains related to MEGA sharing website

Read More

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Read More

Detects DNS queries to an ".onion" address related to Tor routing networks

Read More

Detects DNS server discovery via LDAP query requests from uncommon applications

Read More

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

Read More

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Read More