DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Sigma rule (View on GitHub)
1title: DNS Query To Remote Access Software Domain From Non-Browser App
2id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
3related:
4 - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
5 type: obsoletes
6 - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
7 type: obsoletes
8 - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
9 type: obsoletes
10status: experimental
11description: |
12 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
13 These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
14 Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
15references:
16 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
17 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
18 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
19 - https://redcanary.com/blog/misbehaving-rats/
20 - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
21author: frack113, Connor Martin
22date: 2022/07/11
23modified: 2023/09/12
24tags:
25 - attack.command_and_control
26 - attack.t1219
27logsource:
28 product: windows
29 category: dns_query
30detection:
31 selection_generic:
32 QueryName|endswith:
33 - 'agent.jumpcloud.com'
34 - 'agentreporting.atera.com'
35 - 'ammyy.com'
36 - 'api.parsec.app'
37 - 'api.playanext.com'
38 - 'api.splashtop.com'
39 - 'app.atera.com'
40 - 'assist.zoho.com'
41 - 'authentication.logmeininc.com'
42 - 'beyondtrustcloud.com'
43 - 'cdn.kaseya.net'
44 - 'client.teamviewer.com'
45 - 'comserver.corporate.beanywhere.com'
46 - 'control.connectwise.com'
47 - 'downloads.zohocdn.com'
48 - 'dwservice.net'
49 - 'express.gotoassist.com'
50 - 'getgo.com'
51 - 'integratedchat.teamviewer.com'
52 - 'join.zoho.com'
53 - 'kickstart.jumpcloud.com'
54 - 'license.bomgar.com'
55 - 'logmein-gateway.com'
56 - 'logmein.com'
57 - 'logmeincdn.http.internapcdn.net'
58 - 'n-able.com'
59 - 'net.anydesk.com'
60 - 'netsupportsoftware.com' # For NetSupport Manager RAT
61 - 'parsecusercontent.com'
62 - 'pubsub.atera.com'
63 - 'relay.kaseya.net'
64 - 'relay.screenconnect.com'
65 - 'relay.splashtop.com'
66 - 'remotedesktop-pa.googleapis.com'
67 - 'remoteutilities.com' # Usage of Remote Utilities RAT
68 - 'secure.logmeinrescue.com'
69 - 'services.vnc.com'
70 - 'static.remotepc.com'
71 - 'swi-rc.com'
72 - 'swi-tc.com'
73 - 'telemetry.servers.qetqo.com'
74 - 'tmate.io'
75 - 'zohoassist.com'
76 selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
77 QueryName|endswith: '.rustdesk.com'
78 QueryName|startswith: 'rs-'
79 # Exclude browsers for legitimate visits of the domains mentioned above
80 # Add missing browsers you use and exclude the ones you don't
81 filter_optional_chrome:
82 Image:
83 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
84 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
85 filter_optional_firefox:
86 Image:
87 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
88 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
89 filter_optional_ie:
90 Image:
91 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
92 - 'C:\Program Files\Internet Explorer\iexplore.exe'
93 filter_optional_edge_1:
94 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
95 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
96 - Image:
97 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
98 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
99 filter_optional_edge_2:
100 Image|startswith:
101 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
102 - 'C:\Program Files\Microsoft\EdgeCore\'
103 Image|endswith:
104 - '\msedge.exe'
105 - '\msedgewebview2.exe'
106 filter_optional_safari:
107 Image|endswith: '\safari.exe'
108 filter_optional_defender:
109 Image|endswith:
110 - '\MsMpEng.exe' # Microsoft Defender executable
111 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
112 filter_optional_brave:
113 Image|endswith: '\brave.exe'
114 Image|startswith: 'C:\Program Files\BraveSoftware\'
115 filter_optional_maxthon:
116 Image|contains: '\AppData\Local\Maxthon\'
117 Image|endswith: '\maxthon.exe'
118 filter_optional_opera:
119 Image|contains: '\AppData\Local\Programs\Opera\'
120 Image|endswith: '\opera.exe'
121 filter_optional_seamonkey:
122 Image|startswith:
123 - 'C:\Program Files\SeaMonkey\'
124 - 'C:\Program Files (x86)\SeaMonkey\'
125 Image|endswith: '\seamonkey.exe'
126 filter_optional_vivaldi:
127 Image|contains: '\AppData\Local\Vivaldi\'
128 Image|endswith: '\vivaldi.exe'
129 filter_optional_whale:
130 Image|startswith:
131 - 'C:\Program Files\Naver\Naver Whale\'
132 - 'C:\Program Files (x86)\Naver\Naver Whale\'
133 Image|endswith: '\whale.exe'
134 filter_optional_tor:
135 Image|contains: '\Tor Browser\'
136 filter_optional_whaterfox:
137 Image|startswith:
138 - 'C:\Program Files\Waterfox\'
139 - 'C:\Program Files (x86)\Waterfox\'
140 Image|endswith: '\Waterfox.exe'
141 filter_optional_midori:
142 Image|contains: '\AppData\Local\Programs\midori-ng\'
143 Image|endswith: '\Midori Next Generation.exe'
144 filter_optional_slimbrowser:
145 Image|startswith:
146 - 'C:\Program Files\SlimBrowser\'
147 - 'C:\Program Files (x86)\SlimBrowser\'
148 Image|endswith: '\slimbrowser.exe'
149 filter_optional_flock:
150 Image|contains: '\AppData\Local\Flock\'
151 Image|endswith: '\Flock.exe'
152 filter_optional_phoebe:
153 Image|contains: '\AppData\Local\Phoebe\'
154 Image|endswith: '\Phoebe.exe'
155 filter_optional_falkon:
156 Image|startswith:
157 - 'C:\Program Files\Falkon\'
158 - 'C:\Program Files (x86)\Falkon\'
159 Image|endswith: '\falkon.exe'
160 filter_optional_avant:
161 Image|startswith:
162 - 'C:\Program Files (x86)\Avant Browser\'
163 - 'C:\Program Files\Avant Browser\'
164 Image|endswith: '\avant.exe'
165 condition: 1 of selection_* and not 1 of filter_optional_*
166falsepositives:
167 - Likely with other browser software. Apply additional filters for any other browsers you might use.
168level: medium
References
Related rules
- ScreenConnect Temporary Installation Artefact
- Inveigh Execution Artefacts
- Mesh Agent Service Installation
- Suspicious Binary Writes Via AnyDesk
- Suspicious TSCON Start as SYSTEM