DNS Query To AzureWebsites.NET By Non-Browser Process

calendar Aug 12, 2024 · attack.command-and-control attack.t1219  ·
Share on: linkedin copy

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Sigma rule (View on GitHub)

  1title: DNS Query To AzureWebsites.NET By Non-Browser Process
  2id: e043f529-8514-4205-8ab0-7f7d2927b400
  3related:
  4    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
  5      type: derived
  6status: experimental
  7description: |
  8        Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  9references:
 10    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
 11    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
 12    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
 13    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
 14author: Nasreddine Bencherchali (Nextron Systems)
 15date: 2024-06-24
 16tags:
 17    - attack.command-and-control
 18    - attack.t1219
 19logsource:
 20    product: windows
 21    category: dns_query
 22detection:
 23    selection:
 24        QueryName|endswith: 'azurewebsites.net'
 25    filter_optional_chrome:
 26        Image:
 27            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 28            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 29    filter_optional_firefox:
 30        Image:
 31            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 32            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 33    filter_optional_ie:
 34        Image:
 35            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 36            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 37    filter_optional_edge_1:
 38        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 39        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 40        - Image:
 41              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 42              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 43    filter_optional_edge_2:
 44        Image|startswith:
 45            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
 46            - 'C:\Program Files\Microsoft\EdgeCore\'
 47        Image|endswith:
 48            - '\msedge.exe'
 49            - '\msedgewebview2.exe'
 50    filter_optional_safari:
 51        Image|endswith: '\safari.exe'
 52    filter_optional_defender:
 53        Image|endswith:
 54            - '\MsMpEng.exe' # Microsoft Defender executable
 55            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
 56    filter_optional_brave:
 57        Image|endswith: '\brave.exe'
 58        Image|startswith: 'C:\Program Files\BraveSoftware\'
 59    filter_optional_maxthon:
 60        Image|contains: '\AppData\Local\Maxthon\'
 61        Image|endswith: '\maxthon.exe'
 62    filter_optional_opera:
 63        Image|contains: '\AppData\Local\Programs\Opera\'
 64        Image|endswith: '\opera.exe'
 65    filter_optional_seamonkey:
 66        Image|startswith:
 67            - 'C:\Program Files\SeaMonkey\'
 68            - 'C:\Program Files (x86)\SeaMonkey\'
 69        Image|endswith: '\seamonkey.exe'
 70    filter_optional_vivaldi:
 71        Image|contains: '\AppData\Local\Vivaldi\'
 72        Image|endswith: '\vivaldi.exe'
 73    filter_optional_whale:
 74        Image|startswith:
 75            - 'C:\Program Files\Naver\Naver Whale\'
 76            - 'C:\Program Files (x86)\Naver\Naver Whale\'
 77        Image|endswith: '\whale.exe'
 78    filter_optional_tor:
 79        Image|contains: '\Tor Browser\'
 80    filter_optional_whaterfox:
 81        Image|startswith:
 82            - 'C:\Program Files\Waterfox\'
 83            - 'C:\Program Files (x86)\Waterfox\'
 84        Image|endswith: '\Waterfox.exe'
 85    filter_optional_midori:
 86        Image|contains: '\AppData\Local\Programs\midori-ng\'
 87        Image|endswith: '\Midori Next Generation.exe'
 88    filter_optional_slimbrowser:
 89        Image|startswith:
 90            - 'C:\Program Files\SlimBrowser\'
 91            - 'C:\Program Files (x86)\SlimBrowser\'
 92        Image|endswith: '\slimbrowser.exe'
 93    filter_optional_flock:
 94        Image|contains: '\AppData\Local\Flock\'
 95        Image|endswith: '\Flock.exe'
 96    filter_optional_phoebe:
 97        Image|contains: '\AppData\Local\Phoebe\'
 98        Image|endswith: '\Phoebe.exe'
 99    filter_optional_falkon:
100        Image|startswith:
101            - 'C:\Program Files\Falkon\'
102            - 'C:\Program Files (x86)\Falkon\'
103        Image|endswith: '\falkon.exe'
104    filter_optional_avant:
105        Image|startswith:
106            - 'C:\Program Files (x86)\Avant Browser\'
107            - 'C:\Program Files\Avant Browser\'
108        Image|endswith: '\avant.exe'
109    condition: selection and not 1 of filter_optional_*
110falsepositives:
111    - Likely with other browser software. Apply additional filters for any other browsers you might use.
112level: medium

References

  • WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks

    A new threat cluster has been targeting telecommunication providers in the Middle East and abusing Microsoft, Google and Dropbox cloud services.


    Read More

  • Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia

    Previously unseen attack group targets victims in the IT, telecoms, and government sectors in espionage campaign.


    Read More

  • Higaisa or Winnti? APT41 backdoors, old and new

    The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as APT41, per FireEye) of Chinese origin. Subsequent monitoring led us to discover a number of new malware samples used by the group in recent attacks. These include various droppers, loaders, and injectors; Crosswalk, ShadowPad, and PlugX backdoors; and samples of a previously undescribed backdoor that we have dubbed FunnySwitch. We can confidently state that some of these attacks were directed at a number of organizations in Russia and Hong Kong. In this article, we will share the results of our investigation of these samples and related network infrastructure, as well as overlaps with previously described attacks.


    Read More

  • How We Escaped Docker in Azure Functions

    New vulnerability could allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.


    Read More

Related rules

to-top