DNS Query To Remote Access Software Domain From Non-Browser App

calendar Oct 18, 2023 · attack.command_and_control attack.t1219  ·
Share on: linkedin copy

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Sigma rule (View on GitHub)

  1title: DNS Query To Remote Access Software Domain From Non-Browser App
  2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
  3related:
  4    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
  5      type: obsoletes
  6    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
  7      type: obsoletes
  8    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
  9      type: obsoletes
 10status: experimental
 11description: |
 12    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 13    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 14    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 15references:
 16    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 17    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
 18    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
 19    - https://redcanary.com/blog/misbehaving-rats/
 20    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
 21author: frack113, Connor Martin
 22date: 2022/07/11
 23modified: 2023/09/12
 24tags:
 25    - attack.command_and_control
 26    - attack.t1219
 27logsource:
 28    product: windows
 29    category: dns_query
 30detection:
 31    selection_generic:
 32        QueryName|endswith:
 33            - 'agent.jumpcloud.com'
 34            - 'agentreporting.atera.com'
 35            - 'ammyy.com'
 36            - 'api.parsec.app'
 37            - 'api.playanext.com'
 38            - 'api.splashtop.com'
 39            - 'app.atera.com'
 40            - 'assist.zoho.com'
 41            - 'authentication.logmeininc.com'
 42            - 'beyondtrustcloud.com'
 43            - 'cdn.kaseya.net'
 44            - 'client.teamviewer.com'
 45            - 'comserver.corporate.beanywhere.com'
 46            - 'control.connectwise.com'
 47            - 'downloads.zohocdn.com'
 48            - 'dwservice.net'
 49            - 'express.gotoassist.com'
 50            - 'getgo.com'
 51            - 'integratedchat.teamviewer.com'
 52            - 'join.zoho.com'
 53            - 'kickstart.jumpcloud.com'
 54            - 'license.bomgar.com'
 55            - 'logmein-gateway.com'
 56            - 'logmein.com'
 57            - 'logmeincdn.http.internapcdn.net'
 58            - 'n-able.com'
 59            - 'net.anydesk.com'
 60            - 'netsupportsoftware.com' # For NetSupport Manager RAT
 61            - 'parsecusercontent.com'
 62            - 'pubsub.atera.com'
 63            - 'relay.kaseya.net'
 64            - 'relay.screenconnect.com'
 65            - 'relay.splashtop.com'
 66            - 'remotedesktop-pa.googleapis.com'
 67            - 'remoteutilities.com' # Usage of Remote Utilities RAT
 68            - 'secure.logmeinrescue.com'
 69            - 'services.vnc.com'
 70            - 'static.remotepc.com'
 71            - 'swi-rc.com'
 72            - 'swi-tc.com'
 73            - 'telemetry.servers.qetqo.com'
 74            - 'tmate.io'
 75            - 'zohoassist.com'
 76    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
 77        QueryName|endswith: '.rustdesk.com'
 78        QueryName|startswith: 'rs-'
 79    # Exclude browsers for legitimate visits of the domains mentioned above
 80    # Add missing browsers you use and exclude the ones you don't
 81    filter_optional_chrome:
 82        Image:
 83            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 84            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 85    filter_optional_firefox:
 86        Image:
 87            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 88            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 89    filter_optional_ie:
 90        Image:
 91            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 92            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 93    filter_optional_edge_1:
 94        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 95        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 96        - Image:
 97              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 98              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 99    filter_optional_edge_2:
100        Image|startswith:
101            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
102            - 'C:\Program Files\Microsoft\EdgeCore\'
103        Image|endswith:
104            - '\msedge.exe'
105            - '\msedgewebview2.exe'
106    filter_optional_safari:
107        Image|endswith: '\safari.exe'
108    filter_optional_defender:
109        Image|endswith:
110            - '\MsMpEng.exe' # Microsoft Defender executable
111            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
112    filter_optional_brave:
113        Image|endswith: '\brave.exe'
114        Image|startswith: 'C:\Program Files\BraveSoftware\'
115    filter_optional_maxthon:
116        Image|contains: '\AppData\Local\Maxthon\'
117        Image|endswith: '\maxthon.exe'
118    filter_optional_opera:
119        Image|contains: '\AppData\Local\Programs\Opera\'
120        Image|endswith: '\opera.exe'
121    filter_optional_seamonkey:
122        Image|startswith:
123            - 'C:\Program Files\SeaMonkey\'
124            - 'C:\Program Files (x86)\SeaMonkey\'
125        Image|endswith: '\seamonkey.exe'
126    filter_optional_vivaldi:
127        Image|contains: '\AppData\Local\Vivaldi\'
128        Image|endswith: '\vivaldi.exe'
129    filter_optional_whale:
130        Image|startswith:
131            - 'C:\Program Files\Naver\Naver Whale\'
132            - 'C:\Program Files (x86)\Naver\Naver Whale\'
133        Image|endswith: '\whale.exe'
134    filter_optional_tor:
135        Image|contains: '\Tor Browser\'
136    filter_optional_whaterfox:
137        Image|startswith:
138            - 'C:\Program Files\Waterfox\'
139            - 'C:\Program Files (x86)\Waterfox\'
140        Image|endswith: '\Waterfox.exe'
141    filter_optional_midori:
142        Image|contains: '\AppData\Local\Programs\midori-ng\'
143        Image|endswith: '\Midori Next Generation.exe'
144    filter_optional_slimbrowser:
145        Image|startswith:
146            - 'C:\Program Files\SlimBrowser\'
147            - 'C:\Program Files (x86)\SlimBrowser\'
148        Image|endswith: '\slimbrowser.exe'
149    filter_optional_flock:
150        Image|contains: '\AppData\Local\Flock\'
151        Image|endswith: '\Flock.exe'
152    filter_optional_phoebe:
153        Image|contains: '\AppData\Local\Phoebe\'
154        Image|endswith: '\Phoebe.exe'
155    filter_optional_falkon:
156        Image|startswith:
157            - 'C:\Program Files\Falkon\'
158            - 'C:\Program Files (x86)\Falkon\'
159        Image|endswith: '\falkon.exe'
160    filter_optional_avant:
161        Image|startswith:
162            - 'C:\Program Files (x86)\Avant Browser\'
163            - 'C:\Program Files\Avant Browser\'
164        Image|endswith: '\avant.exe'
165    condition: 1 of selection_* and not 1 of filter_optional_*
166falsepositives:
167    - Likely with other browser software. Apply additional filters for any other browsers you might use.
168level: medium

References

Related rules

to-top