Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Sigma rule (View on GitHub)
1title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
2id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
3related:
4 - id: e043f529-8514-4205-8ab0-7f7d2927b400
5 type: derived
6status: experimental
7description: |
8 Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
9references:
10 - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
11 - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
12 - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
13 - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2024-06-24
16modified: 2024-07-16
17tags:
18 - attack.command-and-control
19 - attack.t1102
20 - attack.t1102.001
21logsource:
22 category: network_connection
23 product: windows
24detection:
25 selection:
26 Initiated: 'true'
27 DestinationHostname|endswith: 'azurewebsites.net'
28 # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
29 # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
30 filter_main_chrome:
31 Image:
32 - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
33 - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
34 filter_main_chrome_appdata:
35 Image|startswith: 'C:\Users\'
36 Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
37 filter_main_firefox:
38 Image:
39 - 'C:\Program Files\Mozilla Firefox\firefox.exe'
40 - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
41 filter_main_firefox_appdata:
42 Image|startswith: 'C:\Users\'
43 Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
44 filter_main_ie:
45 Image:
46 - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
47 - 'C:\Program Files\Internet Explorer\iexplore.exe'
48 filter_main_edge_1:
49 - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
50 - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
51 - Image:
52 - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
53 - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
54 filter_main_edge_2:
55 Image|startswith:
56 - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
57 - 'C:\Program Files\Microsoft\EdgeCore\'
58 Image|endswith:
59 - '\msedge.exe'
60 - '\msedgewebview2.exe'
61 filter_main_safari:
62 Image|contains:
63 - 'C:\Program Files (x86)\Safari\'
64 - 'C:\Program Files\Safari\'
65 Image|endswith: '\safari.exe'
66 filter_main_defender:
67 Image|contains:
68 - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
69 - 'C:\Program Files\Windows Defender\'
70 - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
71 Image|endswith:
72 - '\MsMpEng.exe' # Microsoft Defender executable
73 - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
74 filter_main_prtg:
75 # Paessler's PRTG Network Monitor
76 Image|endswith:
77 - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
78 - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
79 filter_main_brave:
80 Image|startswith: 'C:\Program Files\BraveSoftware\'
81 Image|endswith: '\brave.exe'
82 filter_main_maxthon:
83 Image|contains: '\AppData\Local\Maxthon\'
84 Image|endswith: '\maxthon.exe'
85 filter_main_opera:
86 Image|contains: '\AppData\Local\Programs\Opera\'
87 Image|endswith: '\opera.exe'
88 filter_main_seamonkey:
89 Image|startswith:
90 - 'C:\Program Files\SeaMonkey\'
91 - 'C:\Program Files (x86)\SeaMonkey\'
92 Image|endswith: '\seamonkey.exe'
93 filter_main_vivaldi:
94 Image|contains: '\AppData\Local\Vivaldi\'
95 Image|endswith: '\vivaldi.exe'
96 filter_main_whale:
97 Image|startswith:
98 - 'C:\Program Files\Naver\Naver Whale\'
99 - 'C:\Program Files (x86)\Naver\Naver Whale\'
100 Image|endswith: '\whale.exe'
101 # Note: The TOR browser shouldn't be something you allow in your corporate network.
102 # filter_main_tor:
103 # Image|contains: '\Tor Browser\'
104 filter_main_whaterfox:
105 Image|startswith:
106 - 'C:\Program Files\Waterfox\'
107 - 'C:\Program Files (x86)\Waterfox\'
108 Image|endswith: '\Waterfox.exe'
109 filter_main_slimbrowser:
110 Image|startswith:
111 - 'C:\Program Files\SlimBrowser\'
112 - 'C:\Program Files (x86)\SlimBrowser\'
113 Image|endswith: '\slimbrowser.exe'
114 filter_main_flock:
115 Image|contains: '\AppData\Local\Flock\'
116 Image|endswith: '\Flock.exe'
117 filter_main_phoebe:
118 Image|contains: '\AppData\Local\Phoebe\'
119 Image|endswith: '\Phoebe.exe'
120 filter_main_falkon:
121 Image|startswith:
122 - 'C:\Program Files\Falkon\'
123 - 'C:\Program Files (x86)\Falkon\'
124 Image|endswith: '\falkon.exe'
125 filter_main_qtweb:
126 Image|startswith:
127 - 'C:\Program Files (x86)\QtWeb\'
128 - 'C:\Program Files\QtWeb\'
129 Image|endswith: '\QtWeb.exe'
130 filter_main_avant:
131 Image|startswith:
132 - 'C:\Program Files (x86)\Avant Browser\'
133 - 'C:\Program Files\Avant Browser\'
134 Image|endswith: '\avant.exe'
135 filter_main_discord:
136 Image|contains: '\AppData\Local\Discord\'
137 Image|endswith: '\Discord.exe'
138 filter_main_null:
139 Image: null
140 filter_main_empty:
141 Image: ''
142 # filter_optional_qlik:
143 # Image|endswith: '\Engine.exe' # Process from qlik.com app
144 condition: selection and not 1 of filter_main_*
145falsepositives:
146 - Unknown
147level: medium
References
-
A new threat cluster has been targeting telecommunication providers in the Middle East and abusing Microsoft, Google and Dropbox cloud services.
Read More -
Previously unseen attack group targets victims in the IT, telecoms, and government sectors in espionage campaign.
Read More -
The PT Expert Security Center regularly spots emerging threats to information security, including both previously known and newly discovered malware. During such monitoring in May 2020, we detected several samples of new malware that at first glance would seem to belong to the Higaisa group. But detailed analysis pointed to the Winnti group (also known as APT41, per FireEye) of Chinese origin. Subsequent monitoring led us to discover a number of new malware samples used by the group in recent attacks. These include various droppers, loaders, and injectors; Crosswalk, ShadowPad, and PlugX backdoors; and samples of a previously undescribed backdoor that we have dubbed FunnySwitch. We can confidently state that some of these attacks were directed at a number of organizations in Russia and Hong Kong. In this article, we will share the results of our investigation of these samples and related network infrastructure, as well as overlaps with previously described attacks.
Read More -
New vulnerability could allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.
Read More
Related rules
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- Potentially Suspicious Network Connection To Notion API