Network Connection Initiated To AzureWebsites.NET By Non-Browser Process

calendar Aug 12, 2024 · attack.command-and-control attack.t1102 attack.t1102.001  ·
Share on: linkedin copy

Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Sigma rule (View on GitHub)

  1title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
  2id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
  3related:
  4    - id: e043f529-8514-4205-8ab0-7f7d2927b400
  5      type: derived
  6status: experimental
  7description: |
  8        Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  9references:
 10    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
 11    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
 12    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
 13    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
 14author: Nasreddine Bencherchali (Nextron Systems)
 15date: 2024-06-24
 16modified: 2024-07-16
 17tags:
 18    - attack.command-and-control
 19    - attack.t1102
 20    - attack.t1102.001
 21logsource:
 22    category: network_connection
 23    product: windows
 24detection:
 25    selection:
 26        Initiated: 'true'
 27        DestinationHostname|endswith: 'azurewebsites.net'
 28    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
 29    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
 30    filter_main_chrome:
 31        Image:
 32            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
 33            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
 34    filter_main_chrome_appdata:
 35        Image|startswith: 'C:\Users\'
 36        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
 37    filter_main_firefox:
 38        Image:
 39            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
 40            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
 41    filter_main_firefox_appdata:
 42        Image|startswith: 'C:\Users\'
 43        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
 44    filter_main_ie:
 45        Image:
 46            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
 47            - 'C:\Program Files\Internet Explorer\iexplore.exe'
 48    filter_main_edge_1:
 49        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
 50        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
 51        - Image:
 52              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
 53              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
 54    filter_main_edge_2:
 55        Image|startswith:
 56            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
 57            - 'C:\Program Files\Microsoft\EdgeCore\'
 58        Image|endswith:
 59            - '\msedge.exe'
 60            - '\msedgewebview2.exe'
 61    filter_main_safari:
 62        Image|contains:
 63            - 'C:\Program Files (x86)\Safari\'
 64            - 'C:\Program Files\Safari\'
 65        Image|endswith: '\safari.exe'
 66    filter_main_defender:
 67        Image|contains:
 68            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
 69            - 'C:\Program Files\Windows Defender\'
 70            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
 71        Image|endswith:
 72            - '\MsMpEng.exe' # Microsoft Defender executable
 73            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
 74    filter_main_prtg:
 75        # Paessler's PRTG Network Monitor
 76        Image|endswith:
 77            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
 78            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
 79    filter_main_brave:
 80        Image|startswith: 'C:\Program Files\BraveSoftware\'
 81        Image|endswith: '\brave.exe'
 82    filter_main_maxthon:
 83        Image|contains: '\AppData\Local\Maxthon\'
 84        Image|endswith: '\maxthon.exe'
 85    filter_main_opera:
 86        Image|contains: '\AppData\Local\Programs\Opera\'
 87        Image|endswith: '\opera.exe'
 88    filter_main_seamonkey:
 89        Image|startswith:
 90            - 'C:\Program Files\SeaMonkey\'
 91            - 'C:\Program Files (x86)\SeaMonkey\'
 92        Image|endswith: '\seamonkey.exe'
 93    filter_main_vivaldi:
 94        Image|contains: '\AppData\Local\Vivaldi\'
 95        Image|endswith: '\vivaldi.exe'
 96    filter_main_whale:
 97        Image|startswith:
 98            - 'C:\Program Files\Naver\Naver Whale\'
 99            - 'C:\Program Files (x86)\Naver\Naver Whale\'
100        Image|endswith: '\whale.exe'
101    # Note: The TOR browser shouldn't be something you allow in your corporate network.
102    # filter_main_tor:
103    #     Image|contains: '\Tor Browser\'
104    filter_main_whaterfox:
105        Image|startswith:
106            - 'C:\Program Files\Waterfox\'
107            - 'C:\Program Files (x86)\Waterfox\'
108        Image|endswith: '\Waterfox.exe'
109    filter_main_slimbrowser:
110        Image|startswith:
111            - 'C:\Program Files\SlimBrowser\'
112            - 'C:\Program Files (x86)\SlimBrowser\'
113        Image|endswith: '\slimbrowser.exe'
114    filter_main_flock:
115        Image|contains: '\AppData\Local\Flock\'
116        Image|endswith: '\Flock.exe'
117    filter_main_phoebe:
118        Image|contains: '\AppData\Local\Phoebe\'
119        Image|endswith: '\Phoebe.exe'
120    filter_main_falkon:
121        Image|startswith:
122            - 'C:\Program Files\Falkon\'
123            - 'C:\Program Files (x86)\Falkon\'
124        Image|endswith: '\falkon.exe'
125    filter_main_qtweb:
126        Image|startswith:
127            - 'C:\Program Files (x86)\QtWeb\'
128            - 'C:\Program Files\QtWeb\'
129        Image|endswith: '\QtWeb.exe'
130    filter_main_avant:
131        Image|startswith:
132            - 'C:\Program Files (x86)\Avant Browser\'
133            - 'C:\Program Files\Avant Browser\'
134        Image|endswith: '\avant.exe'
135    filter_main_discord:
136        Image|contains: '\AppData\Local\Discord\'
137        Image|endswith: '\Discord.exe'
138    filter_main_null:
139        Image: null
140    filter_main_empty:
141        Image: ''
142    # filter_optional_qlik:
143    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
144    condition: selection and not 1 of filter_main_*
145falsepositives:
146    - Unknown
147level: medium

References

Related rules

to-top