Detection rules › Sigma

DNS Query To Remote Access Software Domain From Non-Browser App

Status
test
Severity
medium
Author
frack113, Connor Martin
Source
github.com/SigmaHQ/sigma

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

MITRE ATT&CK coverage

Event coverage

ProviderEventTitle
SysmonEvent ID 22DNSEvent (DNS query)

Rule body yaml

title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
      type: obsolete
    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
      type: obsolete
    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
      type: obsolete
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
    - https://redcanary.com/blog/misbehaving-rats/
    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection_generic:
        QueryName|endswith:
            - 'agent.jumpcloud.com'
            - 'agentreporting.atera.com'
            - 'ammyy.com'
            - 'api.parsec.app'
            - 'api.playanext.com'
            - 'api.splashtop.com'
            - 'app.atera.com'
            - 'assist.zoho.com'
            - 'authentication.logmeininc.com'
            - 'beyondtrustcloud.com'
            - 'cdn.kaseya.net'
            - 'client.teamviewer.com'
            - 'comserver.corporate.beanywhere.com'
            - 'control.connectwise.com'
            - 'downloads.zohocdn.com'
            - 'dwservice.net'
            - 'express.gotoassist.com'
            - 'getgo.com'
            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
            - 'integratedchat.teamviewer.com'
            - 'join.zoho.com'
            - 'kickstart.jumpcloud.com'
            - 'license.bomgar.com'
            - 'logmein-gateway.com'
            - 'logmein.com'
            - 'logmeincdn.http.internapcdn.net'
            - 'n-able.com'
            - 'net.anydesk.com'
            - 'netsupportsoftware.com' # For NetSupport Manager RAT
            - 'parsecusercontent.com'
            - 'pubsub.atera.com'
            - 'relay.kaseya.net'
            - 'relay.screenconnect.com'
            - 'relay.splashtop.com'
            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
            - 'remotedesktop-pa.googleapis.com'
            - 'remoteutilities.com' # Usage of Remote Utilities RAT
            - 'secure.logmeinrescue.com'
            - 'services.vnc.com'
            - 'static.remotepc.com'
            - 'swi-rc.com'
            - 'swi-tc.com'
            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
            - 'telemetry.servers.qetqo.com'
            - 'tmate.io'
            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
            - 'zohoassist.com'
    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
        QueryName|endswith: '.rustdesk.com'
        QueryName|startswith: 'rs-'
    # Exclude browsers for legitimate visits of the domains mentioned above
    # Add missing browsers you use and exclude the ones you don't
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium

Stages and Predicates

Stage 0: condition

1 of selection_* and not 1 of filter_optional_*

Stage 1: selection_generic

selection_generic:
    QueryName|endswith:
        - 'agent.jumpcloud.com'
        - 'agentreporting.atera.com'
        - 'ammyy.com'
        - 'api.parsec.app'
        - 'api.playanext.com'
        - 'api.splashtop.com'
        - 'app.atera.com'
        - 'assist.zoho.com'
        - 'authentication.logmeininc.com'
        - 'beyondtrustcloud.com'
        - 'cdn.kaseya.net'
        - 'client.teamviewer.com'
        - 'comserver.corporate.beanywhere.com'
        - 'control.connectwise.com'
        - 'downloads.zohocdn.com'
        - 'dwservice.net'
        - 'express.gotoassist.com'
        - 'getgo.com'
        - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
        - 'integratedchat.teamviewer.com'
        - 'join.zoho.com'
        - 'kickstart.jumpcloud.com'
        - 'license.bomgar.com'
        - 'logmein-gateway.com'
        - 'logmein.com'
        - 'logmeincdn.http.internapcdn.net'
        - 'n-able.com'
        - 'net.anydesk.com'
        - 'netsupportsoftware.com' # For NetSupport Manager RAT
        - 'parsecusercontent.com'
        - 'pubsub.atera.com'
        - 'relay.kaseya.net'
        - 'relay.screenconnect.com'
        - 'relay.splashtop.com'
        - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
        - 'remotedesktop-pa.googleapis.com'
        - 'remoteutilities.com' # Usage of Remote Utilities RAT
        - 'secure.logmeinrescue.com'
        - 'services.vnc.com'
        - 'static.remotepc.com'
        - 'swi-rc.com'
        - 'swi-tc.com'
        - 'tailscale.com' # Scattered Spider threat group used this RMM tool
        - 'telemetry.servers.qetqo.com'
        - 'tmate.io'
        - 'twingate.com'  # Scattered Spider threat group used this RMM tool
        - 'zohoassist.com'

Stage 2: selection_rustdesk

selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
    QueryName|endswith: '.rustdesk.com'
    QueryName|startswith: 'rs-'

Stage 3: not filter_optional_*

filter_optional_chrome:
    Image:
        - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
        - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
    Image:
        - 'C:\Program Files\Mozilla Firefox\firefox.exe'
        - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
    Image:
        - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
        - 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
    - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
    - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
    - Image:
          - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
          - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
    Image|startswith:
        - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
        - 'C:\Program Files\Microsoft\EdgeCore\'
    Image|endswith:
        - '\msedge.exe'
        - '\msedgewebview2.exe'
filter_optional_safari:
    Image|endswith: '\safari.exe'
filter_optional_defender:
    Image|endswith:
        - '\MsMpEng.exe' # Microsoft Defender executable
        - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
    Image|endswith: '\brave.exe'
    Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
    Image|contains: '\AppData\Local\Maxthon\'
    Image|endswith: '\maxthon.exe'
filter_optional_opera:
    Image|contains: '\AppData\Local\Programs\Opera\'
    Image|endswith: '\opera.exe'
filter_optional_seamonkey:
    Image|startswith:
        - 'C:\Program Files\SeaMonkey\'
        - 'C:\Program Files (x86)\SeaMonkey\'
    Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
    Image|contains: '\AppData\Local\Vivaldi\'
    Image|endswith: '\vivaldi.exe'
filter_optional_whale:
    Image|startswith:
        - 'C:\Program Files\Naver\Naver Whale\'
        - 'C:\Program Files (x86)\Naver\Naver Whale\'
    Image|endswith: '\whale.exe'
filter_optional_tor:
    Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
    Image|startswith:
        - 'C:\Program Files\Waterfox\'
        - 'C:\Program Files (x86)\Waterfox\'
    Image|endswith: '\Waterfox.exe'
filter_optional_midori:
    Image|contains: '\AppData\Local\Programs\midori-ng\'
    Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
    Image|startswith:
        - 'C:\Program Files\SlimBrowser\'
        - 'C:\Program Files (x86)\SlimBrowser\'
    Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
    Image|contains: '\AppData\Local\Flock\'
    Image|endswith: '\Flock.exe'
filter_optional_phoebe:
    Image|contains: '\AppData\Local\Phoebe\'
    Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
    Image|startswith:
        - 'C:\Program Files\Falkon\'
        - 'C:\Program Files (x86)\Falkon\'
    Image|endswith: '\falkon.exe'
filter_optional_avant:
    Image|startswith:
        - 'C:\Program Files (x86)\Avant Browser\'
        - 'C:\Program Files\Avant Browser\'
    Image|endswith: '\avant.exe'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
3Imageends_with\msedge.exe
3Imageends_with\msedgewebview2.exe
3Imagestarts_withC:\Program Files (x86)\Microsoft\EdgeCore\
3Imagestarts_withC:\Program Files\Microsoft\EdgeCore\
3Imagestarts_withC:\Program Files (x86)\Avant Browser\
3Imagestarts_withC:\Program Files\Avant Browser\
3Imageends_with\avant.exe
3Imagestarts_withC:\Program Files (x86)\Falkon\
3Imagestarts_withC:\Program Files\Falkon\
3Imageends_with\falkon.exe
3Imagestarts_withC:\Program Files (x86)\Naver\Naver Whale\
3Imagestarts_withC:\Program Files\Naver\Naver Whale\
3Imageends_with\whale.exe
3Imagestarts_withC:\Program Files (x86)\SeaMonkey\
3Imagestarts_withC:\Program Files\SeaMonkey\
3Imageends_with\seamonkey.exe
3Imagestarts_withC:\Program Files (x86)\SlimBrowser\
3Imagestarts_withC:\Program Files\SlimBrowser\
3Imageends_with\slimbrowser.exe
3Imagestarts_withC:\Program Files (x86)\Waterfox\
3Imagestarts_withC:\Program Files\Waterfox\
3Imageends_with\Waterfox.exe
3Imageends_with\Flock.exe
3Imagematch\AppData\Local\Flock\
3Imageends_with\Midori Next Generation.exe
3Imagematch\AppData\Local\Programs\midori-ng\
3Imageends_with\Phoebe.exe
3Imagematch\AppData\Local\Phoebe\
3Imageends_with\brave.exe
3Imagestarts_withC:\Program Files\BraveSoftware\
3Imageends_with\maxthon.exe
3Imagematch\AppData\Local\Maxthon\
3Imageends_with\opera.exe
3Imagematch\AppData\Local\Programs\Opera\
3Imageends_with\vivaldi.exe
3Imagematch\AppData\Local\Vivaldi\
3Imageends_with\MsMpEng.exe
3Imageends_with\MsSense.exe
3Imageends_with\WindowsApps\MicrosoftEdge.exe
3Imageends_with\safari.exe
3ImageeqC:\Program Files (x86)\Google\Chrome\Application\chrome.exe
3ImageeqC:\Program Files (x86)\Internet Explorer\iexplore.exe
3ImageeqC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
3ImageeqC:\Program Files (x86)\Mozilla Firefox\firefox.exe
3ImageeqC:\Program Files\Google\Chrome\Application\chrome.exe
3ImageeqC:\Program Files\Internet Explorer\iexplore.exe
3ImageeqC:\Program Files\Microsoft\Edge\Application\msedge.exe
3ImageeqC:\Program Files\Mozilla Firefox\firefox.exe
3Imagematch\Tor Browser\
3Imagestarts_withC:\Program Files (x86)\Microsoft\EdgeWebView\Application\

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
QueryNameends_with
  • .rustdesk.com
  • agent.jumpcloud.com
  • agentreporting.atera.com
  • ammyy.com
  • api.parsec.app
  • api.playanext.com
  • api.splashtop.com
  • app.atera.com
  • assist.zoho.com
  • authentication.logmeininc.com
  • beyondtrustcloud.com
  • cdn.kaseya.net
  • client.teamviewer.com
  • comserver.corporate.beanywhere.com
  • control.connectwise.com
  • downloads.zohocdn.com
  • dwservice.net
  • express.gotoassist.com
  • getgo.com
  • getscreen.me
  • integratedchat.teamviewer.com
  • join.zoho.com
  • kickstart.jumpcloud.com
  • license.bomgar.com
  • logmein-gateway.com
  • logmein.com
  • logmeincdn.http.internapcdn.net
  • n-able.com
  • net.anydesk.com
  • netsupportsoftware.com
  • parsecusercontent.com
  • pubsub.atera.com
  • relay.kaseya.net
  • relay.screenconnect.com
  • relay.splashtop.com
  • remoteassistance.support.services.microsoft.com corpus 2 (sigma 2)
  • remotedesktop-pa.googleapis.com
  • remoteutilities.com
  • secure.logmeinrescue.com
  • services.vnc.com
  • static.remotepc.com
  • swi-rc.com
  • swi-tc.com
  • tailscale.com
  • telemetry.servers.qetqo.com
  • tmate.io
  • twingate.com
  • zohoassist.com
QueryNamestarts_with
  • rs-