DNS Query To Remote Access Software Domain From Non-Browser App

calendar Dec 19, 2024 · attack.command-and-control attack.t1219  ·
Share on: linkedin copy

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Sigma rule (View on GitHub)

  1title: DNS Query To Remote Access Software Domain From Non-Browser App
  2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
  3related:
  4    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
  5      type: obsolete
  6    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
  7      type: obsolete
  8    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
  9      type: obsolete
 10status: test
 11description: |
 12    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 13    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 14    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 15references:
 16    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 17    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
 18    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
 19    - https://redcanary.com/blog/misbehaving-rats/
 20    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
 21    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
 22    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
 23    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
 24author: frack113, Connor Martin
 25date: 2022-07-11
 26modified: 2024-12-17
 27tags:
 28    - attack.command-and-control
 29    - attack.t1219
 30logsource:
 31    product: windows
 32    category: dns_query
 33detection:
 34    selection_generic:
 35        QueryName|endswith:
 36            - 'agent.jumpcloud.com'
 37            - 'agentreporting.atera.com'
 38            - 'ammyy.com'
 39            - 'api.parsec.app'
 40            - 'api.playanext.com'
 41            - 'api.splashtop.com'
 42            - 'app.atera.com'
 43            - 'assist.zoho.com'
 44            - 'authentication.logmeininc.com'
 45            - 'beyondtrustcloud.com'
 46            - 'cdn.kaseya.net'
 47            - 'client.teamviewer.com'
 48            - 'comserver.corporate.beanywhere.com'
 49            - 'control.connectwise.com'
 50            - 'downloads.zohocdn.com'
 51            - 'dwservice.net'
 52            - 'express.gotoassist.com'
 53            - 'getgo.com'
 54            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
 55            - 'integratedchat.teamviewer.com'
 56            - 'join.zoho.com'
 57            - 'kickstart.jumpcloud.com'
 58            - 'license.bomgar.com'
 59            - 'logmein-gateway.com'
 60            - 'logmein.com'
 61            - 'logmeincdn.http.internapcdn.net'
 62            - 'n-able.com'
 63            - 'net.anydesk.com'
 64            - 'netsupportsoftware.com' # For NetSupport Manager RAT
 65            - 'parsecusercontent.com'
 66            - 'pubsub.atera.com'
 67            - 'relay.kaseya.net'
 68            - 'relay.screenconnect.com'
 69            - 'relay.splashtop.com'
 70            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
 71            - 'remotedesktop-pa.googleapis.com'
 72            - 'remoteutilities.com' # Usage of Remote Utilities RAT
 73            - 'secure.logmeinrescue.com'
 74            - 'services.vnc.com'
 75            - 'static.remotepc.com'
 76            - 'swi-rc.com'
 77            - 'swi-tc.com'
 78            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
 79            - 'telemetry.servers.qetqo.com'
 80            - 'tmate.io'
 81            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
 82            - 'zohoassist.com'
 83    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
 84        QueryName|endswith: '.rustdesk.com'
 85        QueryName|startswith: 'rs-'
 86    # Exclude browsers for legitimate visits of the domains mentioned above
 87    # Add missing browsers you use and exclude the ones you don't
 88    filter_optional_chrome:
 89        Image:
 90            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 91            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 92    filter_optional_firefox:
 93        Image:
 94            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 95            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 96    filter_optional_ie:
 97        Image:
 98            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 99            - 'C:\Program Files\Internet Explorer\iexplore.exe'
100    filter_optional_edge_1:
101        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
102        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
103        - Image:
104              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
105              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
106    filter_optional_edge_2:
107        Image|startswith:
108            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
109            - 'C:\Program Files\Microsoft\EdgeCore\'
110        Image|endswith:
111            - '\msedge.exe'
112            - '\msedgewebview2.exe'
113    filter_optional_safari:
114        Image|endswith: '\safari.exe'
115    filter_optional_defender:
116        Image|endswith:
117            - '\MsMpEng.exe' # Microsoft Defender executable
118            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
119    filter_optional_brave:
120        Image|endswith: '\brave.exe'
121        Image|startswith: 'C:\Program Files\BraveSoftware\'
122    filter_optional_maxthon:
123        Image|contains: '\AppData\Local\Maxthon\'
124        Image|endswith: '\maxthon.exe'
125    filter_optional_opera:
126        Image|contains: '\AppData\Local\Programs\Opera\'
127        Image|endswith: '\opera.exe'
128    filter_optional_seamonkey:
129        Image|startswith:
130            - 'C:\Program Files\SeaMonkey\'
131            - 'C:\Program Files (x86)\SeaMonkey\'
132        Image|endswith: '\seamonkey.exe'
133    filter_optional_vivaldi:
134        Image|contains: '\AppData\Local\Vivaldi\'
135        Image|endswith: '\vivaldi.exe'
136    filter_optional_whale:
137        Image|startswith:
138            - 'C:\Program Files\Naver\Naver Whale\'
139            - 'C:\Program Files (x86)\Naver\Naver Whale\'
140        Image|endswith: '\whale.exe'
141    filter_optional_tor:
142        Image|contains: '\Tor Browser\'
143    filter_optional_whaterfox:
144        Image|startswith:
145            - 'C:\Program Files\Waterfox\'
146            - 'C:\Program Files (x86)\Waterfox\'
147        Image|endswith: '\Waterfox.exe'
148    filter_optional_midori:
149        Image|contains: '\AppData\Local\Programs\midori-ng\'
150        Image|endswith: '\Midori Next Generation.exe'
151    filter_optional_slimbrowser:
152        Image|startswith:
153            - 'C:\Program Files\SlimBrowser\'
154            - 'C:\Program Files (x86)\SlimBrowser\'
155        Image|endswith: '\slimbrowser.exe'
156    filter_optional_flock:
157        Image|contains: '\AppData\Local\Flock\'
158        Image|endswith: '\Flock.exe'
159    filter_optional_phoebe:
160        Image|contains: '\AppData\Local\Phoebe\'
161        Image|endswith: '\Phoebe.exe'
162    filter_optional_falkon:
163        Image|startswith:
164            - 'C:\Program Files\Falkon\'
165            - 'C:\Program Files (x86)\Falkon\'
166        Image|endswith: '\falkon.exe'
167    filter_optional_avant:
168        Image|startswith:
169            - 'C:\Program Files (x86)\Avant Browser\'
170            - 'C:\Program Files\Avant Browser\'
171        Image|endswith: '\avant.exe'
172    condition: 1 of selection_* and not 1 of filter_optional_*
173falsepositives:
174    - Likely with other browser software. Apply additional filters for any other browsers you might use.
175level: medium

References

Related rules

to-top