detection.wiki

Detection rules › Splunk

Windows Abused Web Services

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host.

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1102 Web Service

Event coverage

ProviderEvent IDTitle
Sysmon22DNSEvent (DNS query)

Stages and Predicates

Stage 1: search

search EventCode=22 QueryName IN ("*//objects.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*duckdns.org*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*ngrok.io*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pasteio.com*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*textbin*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*")

Stage 2: eval

eval ...

Stage 3: eval

eval ...

Stage 4: rename

rename

Stage 5: stats

stats BY answer, answer_count, dest, process_exec, process_guid, process_name, query, query_count, reply_code_id, signature, signature_id, src, user_id, vendor_product, QueryName, QueryResults, QueryStatus

Stage 6: search

search

Stage 7: search

search

Stage 8: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 22 corpus 15 (splunk 15)
QueryNamein
  • "*//objects.githubusercontent.com*"
  • "*anonfiles.com*"
  • "*cdn.discordapp.com*"
  • "*ddns.net*"
  • "*dl.dropboxusercontent.com*"
  • "*duckdns.org*"
  • "*ghostbin.co*"
  • "*glitch.me*"
  • "*gofile.io*"
  • "*hastebin.com*"
  • "*mediafire.com*"
  • "*mega.nz*"
  • "*ngrok.io*"
  • "*onrender.com*"
  • "*pages.dev*"
  • "*paste.ee*"
  • "*pastebin.com*"
  • "*pastebin.pl*"
  • "*pasteio.com*"
  • "*pastetext.net*"
  • "*privatlab.com*"
  • "*privatlab.net*"
  • "*send.exploit.in*"
  • "*sendspace.com*"
  • "*storage.googleapis.com*"
  • "*storjshare.io*"
  • "*supabase.co*"
  • "*temp.sh*"
  • "*textbin*"
  • "*transfer.sh*"
  • "*trycloudflare.com*"
  • "*ufile.io*"
  • "*w3spaces.com*"
  • "*workers.dev*"