DNS Query To Remote Access Software Domain
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Sigma rule (View on GitHub)
1title: DNS Query To Remote Access Software Domain
2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
3related:
4 - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
5 type: obsoletes
6 - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
7 type: obsoletes
8 - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
9 type: obsoletes
10status: experimental
11description: |
12 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
13 These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
14 Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
15references:
16 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
17 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
18 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
19 - https://redcanary.com/blog/misbehaving-rats/
20author: frack113, Connor Martin
21date: 2022/07/11
22modified: 2023/04/18
23tags:
24 - attack.command_and_control
25 - attack.t1219
26logsource:
27 product: windows
28 category: dns_query
29detection:
30 selection:
31 QueryName|endswith:
32 - '.getgo.com'
33 - '.logmein.com'
34 - '.ammyy.com'
35 - '.netsupportsoftware.com' # For NetSupport Manager RAT
36 - 'remoteutilities.com' # Usage of Remote Utilities RAT
37 - '.net.anydesk.com'
38 - 'api.playanext.com'
39 - '.relay.splashtop.com'
40 - '.api.splashtop.com'
41 - 'app.atera.com'
42 - '.agentreporting.atera.com'
43 - '.pubsub.atera.com'
44 - 'logmeincdn.http.internapcdn.net'
45 - 'logmein-gateway.com'
46 - 'client.teamviewer.com'
47 - 'integratedchat.teamviewer.com'
48 - 'static.remotepc.com'
49 - '.n-able.com'
50 - 'comserver.corporate.beanywhere.com'
51 - '.swi-rc.com'
52 - '.swi-tc.com'
53 - 'telemetry.servers.qetqo.com'
54 - 'relay.screenconnect.com'
55 - 'control.connectwise.com'
56 - 'express.gotoassist.com'
57 - 'authentication.logmeininc.com'
58 - '.services.vnc.com'
59 - '.tmate.io'
60 - 'api.parsec.app'
61 - 'parsecusercontent.com'
62 - 'remotedesktop-pa.googleapis.com'
63 - '.logmein-gateway.com'
64 - 'secure.logmeinrescue.com'
65 - 'join.zoho.com'
66 - 'assist.zoho.com'
67 - '.zohoassist.com'
68 - 'downloads.zohocdn.com'
69 - 'agent.jumpcloud.com'
70 - 'kickstart.jumpcloud.com'
71 - 'cdn.kaseya.net'
72 - 'relay.kaseya.net'
73 - 'license.bomgar.com'
74 - '.beyondtrustcloud.com'
75 # Exclude browsers for legitimate visits of the domains mentioned above
76 # Add missing browsers you use and exclude the ones you don't
77 filter_optional_brave:
78 Image|endswith: '\brave.exe'
79 filter_optional_chrome:
80 Image:
81 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
82 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
83 filter_optional_firefox:
84 Image:
85 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
86 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
87 filter_optional_ie:
88 Image:
89 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
90 - 'C:\Program Files\Internet Explorer\iexplore.exe'
91 filter_optional_maxthon:
92 Image|endswith: '\maxthon.exe'
93 filter_optional_edge_1:
94 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
95 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
96 - Image:
97 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
98 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
99 filter_optional_edge_2:
100 Image|startswith:
101 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
102 - 'C:\Program Files\Microsoft\EdgeCore\'
103 Image|endswith:
104 - '\msedge.exe'
105 - '\msedgewebview2.exe'
106 filter_optional_opera:
107 Image|endswith: '\opera.exe'
108 filter_optional_safari:
109 Image|endswith: '\safari.exe'
110 filter_optional_seamonkey:
111 Image|endswith: '\seamonkey.exe'
112 filter_optional_vivaldi:
113 Image|endswith: '\vivaldi.exe'
114 filter_optional_whale:
115 Image|endswith: '\whale.exe'
116 condition: selection and not 1 of filter_optional_*
117falsepositives:
118 - Likely with other browser software
119level: medium