detection.wiki

Detection rules › Sigma

DNS Query To Remote Access Software Domain From Non-Browser App

Severity
medium
Author
frack113, Connor Martin
Source
upstream

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1219.002 Remote Access Tools: Remote Desktop Software

Event coverage

ProviderEvent IDTitle
Sysmon22DNSEvent (DNS query)

Stages and Predicates

Stage 1: 1 of selection_generic

or:
QueryName|endswith: agent.jumpcloud.com
QueryName|endswith: agentreporting.atera.com
QueryName|endswith: ammyy.com
QueryName|endswith: api.parsec.app
QueryName|endswith: api.playanext.com
QueryName|endswith: api.splashtop.com
QueryName|endswith: app.atera.com
QueryName|endswith: assist.zoho.com
QueryName|endswith: authentication.logmeininc.com
QueryName|endswith: beyondtrustcloud.com
QueryName|endswith: cdn.kaseya.net
QueryName|endswith: client.teamviewer.com
QueryName|endswith: 'comserver.corporate.beanywhere.com'
QueryName|endswith: control.connectwise.com
QueryName|endswith: downloads.zohocdn.com
QueryName|endswith: dwservice.net
QueryName|endswith: express.gotoassist.com
QueryName|endswith: getgo.com
QueryName|endswith: getscreen.me
QueryName|endswith: integratedchat.teamviewer.com
QueryName|endswith: join.zoho.com
QueryName|endswith: kickstart.jumpcloud.com
QueryName|endswith: license.bomgar.com
QueryName|endswith: logmein-gateway.com
QueryName|endswith: logmein.com
QueryName|endswith: logmeincdn.http.internapcdn.net
QueryName|endswith: n-able.com
QueryName|endswith: net.anydesk.com
QueryName|endswith: netsupportsoftware.com
QueryName|endswith: parsecusercontent.com
QueryName|endswith: pubsub.atera.com
QueryName|endswith: relay.kaseya.net
QueryName|endswith: relay.screenconnect.com
QueryName|endswith: relay.splashtop.com
QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
QueryName|endswith: remotedesktop-pa.googleapis.com
QueryName|endswith: remoteutilities.com
QueryName|endswith: secure.logmeinrescue.com
QueryName|endswith: services.vnc.com
QueryName|endswith: static.remotepc.com
QueryName|endswith: swi-rc.com
QueryName|endswith: swi-tc.com
QueryName|endswith: tailscale.com
QueryName|endswith: telemetry.servers.qetqo.com
QueryName|endswith: tmate.io
QueryName|endswith: twingate.com
QueryName|endswith: zohoassist.com

Stage 2: 1 of selection_rustdesk

QueryName|endswith: .rustdesk.com
QueryName|startswith: rs-

Stage 3: not 1 of filter_optional_*

or:
or:
Image|endswith: '\msedge.exe'
Image|endswith: '\msedgewebview2.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeCore\'
Image|startswith: 'C:\Program Files\Microsoft\EdgeCore\'
or:
Image|startswith: 'C:\Program Files (x86)\Avant Browser\'
Image|startswith: 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Falkon\'
Image|startswith: 'C:\Program Files\Falkon\'
Image|endswith: '\falkon.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|startswith: 'C:\Program Files\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SeaMonkey\'
Image|startswith: 'C:\Program Files\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
or:
Image|startswith: 'C:\Program Files (x86)\SlimBrowser\'
Image|startswith: 'C:\Program Files\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
or:
Image|startswith: 'C:\Program Files (x86)\Waterfox\'
Image|startswith: 'C:\Program Files\Waterfox\'
Image|endswith: '\Waterfox.exe'
Image|endswith: '\Flock.exe'
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Midori Next Generation.exe'
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Phoebe.exe'
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
Image|endswith: '\maxthon.exe'
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\opera.exe'
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\vivaldi.exe'
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\MsMpEng.exe'
Image|endswith: '\MsSense.exe'
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
Image|endswith: '\safari.exe'
Image: 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
Image: 'C:\Program Files\Internet Explorer\iexplore.exe'
Image: 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
Image|contains: '\Tor Browser\'
Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \Flock.exe corpus 4 (sigma 4)
  • \Midori Next Generation.exe corpus 3 (sigma 3)
  • \MsMpEng.exe corpus 13 (sigma 13)
  • \MsSense.exe corpus 5 (sigma 5)
  • \Phoebe.exe corpus 4 (sigma 4)
  • \Waterfox.exe corpus 4 (sigma 4)
  • \WindowsApps\MicrosoftEdge.exe corpus 12 (sigma 12)
  • \avant.exe corpus 4 (sigma 4)
  • \brave.exe corpus 20 (sigma 20)
  • \falkon.exe corpus 4 (sigma 4)
  • \maxthon.exe corpus 13 (sigma 13)
  • \msedge.exe corpus 22 (sigma 22)
  • \msedgewebview2.exe corpus 15 (sigma 15)
  • \opera.exe corpus 21 (sigma 21)
  • \safari.exe corpus 12 (sigma 12)
  • \seamonkey.exe corpus 13 (sigma 13)
  • \slimbrowser.exe corpus 4 (sigma 4)
  • \vivaldi.exe corpus 19 (sigma 19)
  • \whale.exe corpus 12 (sigma 12)
Imageeq
  • C:\Program Files (x86)\Google\Chrome\Application\chrome.exe corpus 11 (sigma 11)
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe corpus 10 (sigma 10)
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe corpus 11 (sigma 11)
  • C:\Program Files (x86)\Mozilla Firefox\firefox.exe corpus 11 (sigma 11)
  • C:\Program Files\Google\Chrome\Application\chrome.exe corpus 12 (sigma 12)
  • C:\Program Files\Internet Explorer\iexplore.exe corpus 11 (sigma 11)
  • C:\Program Files\Microsoft\Edge\Application\msedge.exe corpus 11 (sigma 11)
  • C:\Program Files\Mozilla Firefox\firefox.exe corpus 12 (sigma 12)
Imagematch
  • \AppData\Local\Flock\ corpus 4 (sigma 4)
  • \AppData\Local\Maxthon\ corpus 4 (sigma 4)
  • \AppData\Local\Phoebe\ corpus 4 (sigma 4)
  • \AppData\Local\Programs\Opera\ corpus 5 (sigma 5)
  • \AppData\Local\Programs\midori-ng\ corpus 3 (sigma 3)
  • \AppData\Local\Vivaldi\ corpus 4 (sigma 4)
  • \Tor Browser\ corpus 2 (sigma 2)
Imagestarts_with
  • C:\Program Files (x86)\Avant Browser\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Falkon\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Microsoft\EdgeCore\ corpus 11 (sigma 11)
  • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ corpus 10 (sigma 10)
  • C:\Program Files (x86)\Naver\Naver Whale\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\SeaMonkey\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\SlimBrowser\ corpus 4 (sigma 4)
  • C:\Program Files (x86)\Waterfox\ corpus 4 (sigma 4)
  • C:\Program Files\Avant Browser\ corpus 4 (sigma 4)
  • C:\Program Files\BraveSoftware\ corpus 4 (sigma 4)
  • C:\Program Files\Falkon\ corpus 4 (sigma 4)
  • C:\Program Files\Microsoft\EdgeCore\ corpus 11 (sigma 11)
  • C:\Program Files\Naver\Naver Whale\ corpus 4 (sigma 4)
  • C:\Program Files\SeaMonkey\ corpus 4 (sigma 4)
  • C:\Program Files\SlimBrowser\ corpus 4 (sigma 4)
  • C:\Program Files\Waterfox\ corpus 4 (sigma 4)
QueryNameends_with
  • .rustdesk.com
  • agent.jumpcloud.com
  • agentreporting.atera.com
  • ammyy.com
  • api.parsec.app
  • api.playanext.com
  • api.splashtop.com
  • app.atera.com
  • assist.zoho.com
  • authentication.logmeininc.com
  • beyondtrustcloud.com
  • cdn.kaseya.net
  • client.teamviewer.com
  • comserver.corporate.beanywhere.com
  • control.connectwise.com
  • downloads.zohocdn.com
  • dwservice.net
  • express.gotoassist.com
  • getgo.com
  • getscreen.me
  • integratedchat.teamviewer.com
  • join.zoho.com
  • kickstart.jumpcloud.com
  • license.bomgar.com
  • logmein-gateway.com
  • logmein.com
  • logmeincdn.http.internapcdn.net
  • n-able.com
  • net.anydesk.com
  • netsupportsoftware.com
  • parsecusercontent.com
  • pubsub.atera.com
  • relay.kaseya.net
  • relay.screenconnect.com
  • relay.splashtop.com
  • remoteassistance.support.services.microsoft.com corpus 2 (sigma 2)
  • remotedesktop-pa.googleapis.com
  • remoteutilities.com
  • secure.logmeinrescue.com
  • services.vnc.com
  • static.remotepc.com
  • swi-rc.com
  • swi-tc.com
  • tailscale.com
  • telemetry.servers.qetqo.com
  • tmate.io
  • twingate.com
  • zohoassist.com
QueryNamestarts_with
  • rs-