DNS Query To Remote Access Software Domain From Non-Browser App

calendar Sep 13, 2024 · attack.command-and-control attack.t1219  ·
Share on: linkedin copy

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Sigma rule (View on GitHub)

  1title: DNS Query To Remote Access Software Domain From Non-Browser App
  2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
  3related:
  4    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
  5      type: obsolete
  6    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
  7      type: obsolete
  8    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
  9      type: obsolete
 10status: test
 11description: |
 12    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 13    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 14    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 15references:
 16    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 17    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
 18    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
 19    - https://redcanary.com/blog/misbehaving-rats/
 20    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
 21    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
 22    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
 23    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
 24author: frack113, Connor Martin
 25date: 2022-07-11
 26modified: 2024-09-13
 27tags:
 28    - attack.command-and-control
 29    - attack.t1219
 30logsource:
 31    product: windows
 32    category: dns_query
 33detection:
 34    selection_generic:
 35        QueryName|endswith:
 36            - 'agent.jumpcloud.com'
 37            - 'agentreporting.atera.com'
 38            - 'ammyy.com'
 39            - 'api.parsec.app'
 40            - 'api.playanext.com'
 41            - 'api.splashtop.com'
 42            - 'app.atera.com'
 43            - 'assist.zoho.com'
 44            - 'authentication.logmeininc.com'
 45            - 'beyondtrustcloud.com'
 46            - 'cdn.kaseya.net'
 47            - 'client.teamviewer.com'
 48            - 'comserver.corporate.beanywhere.com'
 49            - 'control.connectwise.com'
 50            - 'downloads.zohocdn.com'
 51            - 'dwservice.net'
 52            - 'express.gotoassist.com'
 53            - 'getgo.com'
 54            - 'integratedchat.teamviewer.com'
 55            - 'join.zoho.com'
 56            - 'kickstart.jumpcloud.com'
 57            - 'license.bomgar.com'
 58            - 'logmein-gateway.com'
 59            - 'logmein.com'
 60            - 'logmeincdn.http.internapcdn.net'
 61            - 'n-able.com'
 62            - 'net.anydesk.com'
 63            - 'netsupportsoftware.com' # For NetSupport Manager RAT
 64            - 'parsecusercontent.com'
 65            - 'pubsub.atera.com'
 66            - 'relay.kaseya.net'
 67            - 'relay.screenconnect.com'
 68            - 'relay.splashtop.com'
 69            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
 70            - 'remotedesktop-pa.googleapis.com'
 71            - 'remoteutilities.com' # Usage of Remote Utilities RAT
 72            - 'secure.logmeinrescue.com'
 73            - 'services.vnc.com'
 74            - 'static.remotepc.com'
 75            - 'swi-rc.com'
 76            - 'swi-tc.com'
 77            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
 78            - 'telemetry.servers.qetqo.com'
 79            - 'tmate.io'
 80            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
 81            - 'zohoassist.com'
 82    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
 83        QueryName|endswith: '.rustdesk.com'
 84        QueryName|startswith: 'rs-'
 85    # Exclude browsers for legitimate visits of the domains mentioned above
 86    # Add missing browsers you use and exclude the ones you don't
 87    filter_optional_chrome:
 88        Image:
 89            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 90            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 91    filter_optional_firefox:
 92        Image:
 93            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 94            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 95    filter_optional_ie:
 96        Image:
 97            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 98            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 99    filter_optional_edge_1:
100        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
101        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
102        - Image:
103              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
104              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
105    filter_optional_edge_2:
106        Image|startswith:
107            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
108            - 'C:\Program Files\Microsoft\EdgeCore\'
109        Image|endswith:
110            - '\msedge.exe'
111            - '\msedgewebview2.exe'
112    filter_optional_safari:
113        Image|endswith: '\safari.exe'
114    filter_optional_defender:
115        Image|endswith:
116            - '\MsMpEng.exe' # Microsoft Defender executable
117            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
118    filter_optional_brave:
119        Image|endswith: '\brave.exe'
120        Image|startswith: 'C:\Program Files\BraveSoftware\'
121    filter_optional_maxthon:
122        Image|contains: '\AppData\Local\Maxthon\'
123        Image|endswith: '\maxthon.exe'
124    filter_optional_opera:
125        Image|contains: '\AppData\Local\Programs\Opera\'
126        Image|endswith: '\opera.exe'
127    filter_optional_seamonkey:
128        Image|startswith:
129            - 'C:\Program Files\SeaMonkey\'
130            - 'C:\Program Files (x86)\SeaMonkey\'
131        Image|endswith: '\seamonkey.exe'
132    filter_optional_vivaldi:
133        Image|contains: '\AppData\Local\Vivaldi\'
134        Image|endswith: '\vivaldi.exe'
135    filter_optional_whale:
136        Image|startswith:
137            - 'C:\Program Files\Naver\Naver Whale\'
138            - 'C:\Program Files (x86)\Naver\Naver Whale\'
139        Image|endswith: '\whale.exe'
140    filter_optional_tor:
141        Image|contains: '\Tor Browser\'
142    filter_optional_whaterfox:
143        Image|startswith:
144            - 'C:\Program Files\Waterfox\'
145            - 'C:\Program Files (x86)\Waterfox\'
146        Image|endswith: '\Waterfox.exe'
147    filter_optional_midori:
148        Image|contains: '\AppData\Local\Programs\midori-ng\'
149        Image|endswith: '\Midori Next Generation.exe'
150    filter_optional_slimbrowser:
151        Image|startswith:
152            - 'C:\Program Files\SlimBrowser\'
153            - 'C:\Program Files (x86)\SlimBrowser\'
154        Image|endswith: '\slimbrowser.exe'
155    filter_optional_flock:
156        Image|contains: '\AppData\Local\Flock\'
157        Image|endswith: '\Flock.exe'
158    filter_optional_phoebe:
159        Image|contains: '\AppData\Local\Phoebe\'
160        Image|endswith: '\Phoebe.exe'
161    filter_optional_falkon:
162        Image|startswith:
163            - 'C:\Program Files\Falkon\'
164            - 'C:\Program Files (x86)\Falkon\'
165        Image|endswith: '\falkon.exe'
166    filter_optional_avant:
167        Image|startswith:
168            - 'C:\Program Files (x86)\Avant Browser\'
169            - 'C:\Program Files\Avant Browser\'
170        Image|endswith: '\avant.exe'
171    condition: 1 of selection_* and not 1 of filter_optional_*
172falsepositives:
173    - Likely with other browser software. Apply additional filters for any other browsers you might use.
174level: medium

References

Related rules

to-top