DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Sigma rule (View on GitHub)
1title: DNS Query To Remote Access Software Domain From Non-Browser App
2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
3related:
4 - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
5 type: obsolete
6 - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
7 type: obsolete
8 - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
9 type: obsolete
10status: test
11description: |
12 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
13 These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
14 Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
15references:
16 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
17 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
18 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
19 - https://redcanary.com/blog/misbehaving-rats/
20 - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
21 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
22 - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
23 - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
24author: frack113, Connor Martin
25date: 2022-07-11
26modified: 2024-09-13
27tags:
28 - attack.command-and-control
29 - attack.t1219
30logsource:
31 product: windows
32 category: dns_query
33detection:
34 selection_generic:
35 QueryName|endswith:
36 - 'agent.jumpcloud.com'
37 - 'agentreporting.atera.com'
38 - 'ammyy.com'
39 - 'api.parsec.app'
40 - 'api.playanext.com'
41 - 'api.splashtop.com'
42 - 'app.atera.com'
43 - 'assist.zoho.com'
44 - 'authentication.logmeininc.com'
45 - 'beyondtrustcloud.com'
46 - 'cdn.kaseya.net'
47 - 'client.teamviewer.com'
48 - 'comserver.corporate.beanywhere.com'
49 - 'control.connectwise.com'
50 - 'downloads.zohocdn.com'
51 - 'dwservice.net'
52 - 'express.gotoassist.com'
53 - 'getgo.com'
54 - 'integratedchat.teamviewer.com'
55 - 'join.zoho.com'
56 - 'kickstart.jumpcloud.com'
57 - 'license.bomgar.com'
58 - 'logmein-gateway.com'
59 - 'logmein.com'
60 - 'logmeincdn.http.internapcdn.net'
61 - 'n-able.com'
62 - 'net.anydesk.com'
63 - 'netsupportsoftware.com' # For NetSupport Manager RAT
64 - 'parsecusercontent.com'
65 - 'pubsub.atera.com'
66 - 'relay.kaseya.net'
67 - 'relay.screenconnect.com'
68 - 'relay.splashtop.com'
69 - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
70 - 'remotedesktop-pa.googleapis.com'
71 - 'remoteutilities.com' # Usage of Remote Utilities RAT
72 - 'secure.logmeinrescue.com'
73 - 'services.vnc.com'
74 - 'static.remotepc.com'
75 - 'swi-rc.com'
76 - 'swi-tc.com'
77 - 'tailscale.com' # Scattered Spider threat group used this RMM tool
78 - 'telemetry.servers.qetqo.com'
79 - 'tmate.io'
80 - 'twingate.com' # Scattered Spider threat group used this RMM tool
81 - 'zohoassist.com'
82 selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
83 QueryName|endswith: '.rustdesk.com'
84 QueryName|startswith: 'rs-'
85 # Exclude browsers for legitimate visits of the domains mentioned above
86 # Add missing browsers you use and exclude the ones you don't
87 filter_optional_chrome:
88 Image:
89 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
90 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
91 filter_optional_firefox:
92 Image:
93 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
94 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
95 filter_optional_ie:
96 Image:
97 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
98 - 'C:\Program Files\Internet Explorer\iexplore.exe'
99 filter_optional_edge_1:
100 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
101 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
102 - Image:
103 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
104 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
105 filter_optional_edge_2:
106 Image|startswith:
107 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
108 - 'C:\Program Files\Microsoft\EdgeCore\'
109 Image|endswith:
110 - '\msedge.exe'
111 - '\msedgewebview2.exe'
112 filter_optional_safari:
113 Image|endswith: '\safari.exe'
114 filter_optional_defender:
115 Image|endswith:
116 - '\MsMpEng.exe' # Microsoft Defender executable
117 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
118 filter_optional_brave:
119 Image|endswith: '\brave.exe'
120 Image|startswith: 'C:\Program Files\BraveSoftware\'
121 filter_optional_maxthon:
122 Image|contains: '\AppData\Local\Maxthon\'
123 Image|endswith: '\maxthon.exe'
124 filter_optional_opera:
125 Image|contains: '\AppData\Local\Programs\Opera\'
126 Image|endswith: '\opera.exe'
127 filter_optional_seamonkey:
128 Image|startswith:
129 - 'C:\Program Files\SeaMonkey\'
130 - 'C:\Program Files (x86)\SeaMonkey\'
131 Image|endswith: '\seamonkey.exe'
132 filter_optional_vivaldi:
133 Image|contains: '\AppData\Local\Vivaldi\'
134 Image|endswith: '\vivaldi.exe'
135 filter_optional_whale:
136 Image|startswith:
137 - 'C:\Program Files\Naver\Naver Whale\'
138 - 'C:\Program Files (x86)\Naver\Naver Whale\'
139 Image|endswith: '\whale.exe'
140 filter_optional_tor:
141 Image|contains: '\Tor Browser\'
142 filter_optional_whaterfox:
143 Image|startswith:
144 - 'C:\Program Files\Waterfox\'
145 - 'C:\Program Files (x86)\Waterfox\'
146 Image|endswith: '\Waterfox.exe'
147 filter_optional_midori:
148 Image|contains: '\AppData\Local\Programs\midori-ng\'
149 Image|endswith: '\Midori Next Generation.exe'
150 filter_optional_slimbrowser:
151 Image|startswith:
152 - 'C:\Program Files\SlimBrowser\'
153 - 'C:\Program Files (x86)\SlimBrowser\'
154 Image|endswith: '\slimbrowser.exe'
155 filter_optional_flock:
156 Image|contains: '\AppData\Local\Flock\'
157 Image|endswith: '\Flock.exe'
158 filter_optional_phoebe:
159 Image|contains: '\AppData\Local\Phoebe\'
160 Image|endswith: '\Phoebe.exe'
161 filter_optional_falkon:
162 Image|startswith:
163 - 'C:\Program Files\Falkon\'
164 - 'C:\Program Files (x86)\Falkon\'
165 Image|endswith: '\falkon.exe'
166 filter_optional_avant:
167 Image|startswith:
168 - 'C:\Program Files (x86)\Avant Browser\'
169 - 'C:\Program Files\Avant Browser\'
170 Image|endswith: '\avant.exe'
171 condition: 1 of selection_* and not 1 of filter_optional_*
172falsepositives:
173 - Likely with other browser software. Apply additional filters for any other browsers you might use.
174level: medium
References
Related rules
- Remote Access Tool - AnyDesk Incoming Connection
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact