detection.wiki

Detection rules › Sigma

DNS Query To AzureWebsites.NET By Non-Browser Process

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1219.002 Remote Access Tools: Remote Desktop Software

Event coverage

ProviderEvent IDTitle
Sysmon22DNSEvent (DNS query)

Stages and Predicates

Stage 1: selection

QueryName|endswith: azurewebsites.net

Stage 2: not 1 of filter_optional_*

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
or:
Image|startswith: 'C:\Program Files (x86)\Avant Browser\'
Image|startswith: 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Falkon\'
Image|startswith: 'C:\Program Files\Falkon\'
Image|endswith: '\falkon.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|startswith: 'C:\Program Files\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SeaMonkey\'
Image|startswith: 'C:\Program Files\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SlimBrowser\'
Image|startswith: 'C:\Program Files\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Waterfox\'
Image|startswith: 'C:\Program Files\Waterfox\'
Image|endswith: '\Waterfox.exe'
Image|endswith: '\Flock.exe'
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Midori Next Generation.exe'
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Phoebe.exe'
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
Image|endswith: '\maxthon.exe'
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\opera.exe'
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\vivaldi.exe'
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\MsMpEng.exe'
Image|endswith: '\MsSense.exe'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\safari.exe'
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image|contains: '\Tor Browser\'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \Flock.exe corpus 4 (sigma 4)
  • \Midori Next Generation.exe corpus 3 (sigma 3)
  • \MsMpEng.exe corpus 13 (sigma 13)
  • \MsSense.exe corpus 5 (sigma 5)
  • \Phoebe.exe corpus 4 (sigma 4)
  • \Waterfox.exe corpus 4 (sigma 4)
  • \WindowsApps\MicrosoftEdge.exe corpus 12 (sigma 12)
  • \avant.exe corpus 4 (sigma 4)
  • \brave.exe corpus 20 (sigma 20)
  • \falkon.exe corpus 4 (sigma 4)
  • \maxthon.exe corpus 13 (sigma 13)
  • \msedge.exe corpus 22 (sigma 22)
  • \msedgewebview2.exe corpus 15 (sigma 15)
  • \opera.exe corpus 21 (sigma 21)
  • \safari.exe corpus 12 (sigma 12)
  • \seamonkey.exe corpus 13 (sigma 13)
  • \slimbrowser.exe corpus 4 (sigma 4)
  • \vivaldi.exe corpus 19 (sigma 19)
  • \whale.exe corpus 12 (sigma 12)
Imageeq
  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe corpus 11 (sigma 11)
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe corpus 10 (sigma 10)
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe corpus 11 (sigma 11)
  • C:\Program Files (x86)\Mozilla Firefox\firefox.exe corpus 11 (sigma 11)
  • C:\Program Files\Google\Chrome\Application\chrome.exe corpus 12 (sigma 12)
  • C:\Program Files\Internet Explorer\iexplore.exe corpus 11 (sigma 11)
  • C:\Program Files\Microsoft\Edge\Application\msedge.exe corpus 11 (sigma 11)
  • C:\Program Files\Mozilla Firefox\firefox.exe corpus 12 (sigma 12)
Imagematch
  • \AppData\Local\Flock\ corpus 4 (sigma 4)
  • \AppData\Local\Maxthon\ corpus 4 (sigma 4)
  • \AppData\Local\Phoebe\ corpus 4 (sigma 4)
  • \AppData\Local\Programs\Opera\ corpus 5 (sigma 5)
  • \AppData\Local\Programs\midori-ng\ corpus 3 (sigma 3)
  • \AppData\Local\Vivaldi\ corpus 4 (sigma 4)
  • \Tor Browser\ corpus 2 (sigma 2)
Imagestarts_with
  • C:\Program Files (x86)\Avant Browser\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Falkon\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Microsoft\EdgeCore\ corpus 11 (sigma 11)
  • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ corpus 10 (sigma 10)
  • C:\Program Files (x86)\Naver\Naver Whale\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\SeaMonkey\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\SlimBrowser\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Waterfox\ corpus 4 (sigma 4)
  • C:\Program Files\Avant Browser\ corpus 4 (sigma 4)
  • C:\Program Files\BraveSoftware\ corpus 4 (sigma 4)
  • C:\Program Files\Falkon\ corpus 4 (sigma 4)
  • C:\Program Files\Microsoft\EdgeCore\ corpus 11 (sigma 11)
  • C:\Program Files\Naver\Naver Whale\ corpus 4 (sigma 4)
  • C:\Program Files\SeaMonkey\ corpus 4 (sigma 4)
  • C:\Program Files\SlimBrowser\ corpus 4 (sigma 4)
  • C:\Program Files\Waterfox\ corpus 4 (sigma 4)
QueryNameends_with
  • azurewebsites.net