/
dns_query_win_remote_access_software_domains.yml
122 lines (122 loc) · 5.35 KB
/
dns_query_win_remote_access_software_domains.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
title: DNS Query To Remote Access Software Domain
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsoletes
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsoletes
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsoletes
status: experimental
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
author: frack113, Connor Martin
date: 2022/07/11
modified: 2023/06/14
tags:
- attack.command_and_control
- attack.t1219
logsource:
product: windows
category: dns_query
detection:
selection_name:
QueryName|endswith:
- '.getgo.com'
- '.logmein.com'
- '.ammyy.com'
- '.netsupportsoftware.com' # For NetSupport Manager RAT
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- '.net.anydesk.com'
- 'api.playanext.com'
- '.relay.splashtop.com'
- '.api.splashtop.com'
- 'app.atera.com'
- '.agentreporting.atera.com'
- '.pubsub.atera.com'
- 'logmeincdn.http.internapcdn.net'
- 'logmein-gateway.com'
- 'client.teamviewer.com'
- 'integratedchat.teamviewer.com'
- 'static.remotepc.com'
- '.n-able.com'
- 'comserver.corporate.beanywhere.com'
- '.swi-rc.com'
- '.swi-tc.com'
- 'telemetry.servers.qetqo.com'
- 'relay.screenconnect.com'
- 'control.connectwise.com'
- 'express.gotoassist.com'
- 'authentication.logmeininc.com'
- '.services.vnc.com'
- '.tmate.io'
- 'api.parsec.app'
- 'parsecusercontent.com'
- 'remotedesktop-pa.googleapis.com'
- '.logmein-gateway.com'
- 'secure.logmeinrescue.com'
- 'join.zoho.com'
- 'assist.zoho.com'
- '.zohoassist.com'
- 'downloads.zohocdn.com'
- 'agent.jumpcloud.com'
- 'kickstart.jumpcloud.com'
- 'cdn.kaseya.net'
- 'relay.kaseya.net'
- 'license.bomgar.com'
- '.beyondtrustcloud.com'
selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
QueryName|endswith: '.rustdesk.com'
QueryName|startswith: 'rs-'
# Exclude browsers for legitimate visits of the domains mentioned above
# Add missing browsers you use and exclude the ones you don't
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software
level: medium