DNS Query To AzureWebsites.NET By Non-Browser Process

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Sigma rule (View on GitHub)

  1title: DNS Query To AzureWebsites.NET By Non-Browser Process
  2id: e043f529-8514-4205-8ab0-7f7d2927b400
  3related:
  4    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
  5      type: derived
  6status: experimental
  7description: |
  8        Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  9references:
 10    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
 11    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
 12    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
 13    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
 14author: Nasreddine Bencherchali (Nextron Systems)
 15date: 2024/06/24
 16tags:
 17    - attack.command_and_control
 18    - attack.t1219
 19logsource:
 20    product: windows
 21    category: dns_query
 22detection:
 23    selection:
 24        QueryName|endswith: 'azurewebsites.net'
 25    filter_optional_chrome:
 26        Image:
 27            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 28            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 29    filter_optional_firefox:
 30        Image:
 31            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 32            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 33    filter_optional_ie:
 34        Image:
 35            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 36            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 37    filter_optional_edge_1:
 38        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 39        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 40        - Image:
 41              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 42              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 43    filter_optional_edge_2:
 44        Image|startswith:
 45            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
 46            - 'C:\Program Files\Microsoft\EdgeCore\'
 47        Image|endswith:
 48            - '\msedge.exe'
 49            - '\msedgewebview2.exe'
 50    filter_optional_safari:
 51        Image|endswith: '\safari.exe'
 52    filter_optional_defender:
 53        Image|endswith:
 54            - '\MsMpEng.exe' # Microsoft Defender executable
 55            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
 56    filter_optional_brave:
 57        Image|endswith: '\brave.exe'
 58        Image|startswith: 'C:\Program Files\BraveSoftware\'
 59    filter_optional_maxthon:
 60        Image|contains: '\AppData\Local\Maxthon\'
 61        Image|endswith: '\maxthon.exe'
 62    filter_optional_opera:
 63        Image|contains: '\AppData\Local\Programs\Opera\'
 64        Image|endswith: '\opera.exe'
 65    filter_optional_seamonkey:
 66        Image|startswith:
 67            - 'C:\Program Files\SeaMonkey\'
 68            - 'C:\Program Files (x86)\SeaMonkey\'
 69        Image|endswith: '\seamonkey.exe'
 70    filter_optional_vivaldi:
 71        Image|contains: '\AppData\Local\Vivaldi\'
 72        Image|endswith: '\vivaldi.exe'
 73    filter_optional_whale:
 74        Image|startswith:
 75            - 'C:\Program Files\Naver\Naver Whale\'
 76            - 'C:\Program Files (x86)\Naver\Naver Whale\'
 77        Image|endswith: '\whale.exe'
 78    filter_optional_tor:
 79        Image|contains: '\Tor Browser\'
 80    filter_optional_whaterfox:
 81        Image|startswith:
 82            - 'C:\Program Files\Waterfox\'
 83            - 'C:\Program Files (x86)\Waterfox\'
 84        Image|endswith: '\Waterfox.exe'
 85    filter_optional_midori:
 86        Image|contains: '\AppData\Local\Programs\midori-ng\'
 87        Image|endswith: '\Midori Next Generation.exe'
 88    filter_optional_slimbrowser:
 89        Image|startswith:
 90            - 'C:\Program Files\SlimBrowser\'
 91            - 'C:\Program Files (x86)\SlimBrowser\'
 92        Image|endswith: '\slimbrowser.exe'
 93    filter_optional_flock:
 94        Image|contains: '\AppData\Local\Flock\'
 95        Image|endswith: '\Flock.exe'
 96    filter_optional_phoebe:
 97        Image|contains: '\AppData\Local\Phoebe\'
 98        Image|endswith: '\Phoebe.exe'
 99    filter_optional_falkon:
100        Image|startswith:
101            - 'C:\Program Files\Falkon\'
102            - 'C:\Program Files (x86)\Falkon\'
103        Image|endswith: '\falkon.exe'
104    filter_optional_avant:
105        Image|startswith:
106            - 'C:\Program Files (x86)\Avant Browser\'
107            - 'C:\Program Files\Avant Browser\'
108        Image|endswith: '\avant.exe'
109    condition: selection and not 1 of filter_optional_*
110falsepositives:
111    - Likely with other browser software. Apply additional filters for any other browsers you might use.
112level: medium

References

Related rules

to-top