Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Connor MartinCreated Mon Jul 11Updated Tue Dec 174d07b1f4-cb00-4470-b9f8-b0191d48ff52windows
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic
Detection Logic23 selectors
detection:
    selection_generic:
        QueryName|endswith:
            - 'agent.jumpcloud.com'
            - 'agentreporting.atera.com'
            - 'ammyy.com'
            - 'api.parsec.app'
            - 'api.playanext.com'
            - 'api.splashtop.com'
            - 'app.atera.com'
            - 'assist.zoho.com'
            - 'authentication.logmeininc.com'
            - 'beyondtrustcloud.com'
            - 'cdn.kaseya.net'
            - 'client.teamviewer.com'
            - 'comserver.corporate.beanywhere.com'
            - 'control.connectwise.com'
            - 'downloads.zohocdn.com'
            - 'dwservice.net'
            - 'express.gotoassist.com'
            - 'getgo.com'
            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
            - 'integratedchat.teamviewer.com'
            - 'join.zoho.com'
            - 'kickstart.jumpcloud.com'
            - 'license.bomgar.com'
            - 'logmein-gateway.com'
            - 'logmein.com'
            - 'logmeincdn.http.internapcdn.net'
            - 'n-able.com'
            - 'net.anydesk.com'
            - 'netsupportsoftware.com' # For NetSupport Manager RAT
            - 'parsecusercontent.com'
            - 'pubsub.atera.com'
            - 'relay.kaseya.net'
            - 'relay.screenconnect.com'
            - 'relay.splashtop.com'
            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
            - 'remotedesktop-pa.googleapis.com'
            - 'remoteutilities.com' # Usage of Remote Utilities RAT
            - 'secure.logmeinrescue.com'
            - 'services.vnc.com'
            - 'static.remotepc.com'
            - 'swi-rc.com'
            - 'swi-tc.com'
            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
            - 'telemetry.servers.qetqo.com'
            - 'tmate.io'
            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
            - 'zohoassist.com'
    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
        QueryName|endswith: '.rustdesk.com'
        QueryName|startswith: 'rs-'
    # Exclude browsers for legitimate visits of the domains mentioned above
    # Add missing browsers you use and exclude the ones you don't
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
False Positives

Likely with other browser software. Apply additional filters for any other browsers you might use.

References
1
Resolving title…
github.com
2
Resolving title…
github.com
3
Resolving title…
github.com
4
Resolving title…
redcanary.com
5
Resolving title…
techcommunity.microsoft.com
6
Resolving title…
cisa.gov
7
Resolving title…
blog.sekoia.io
8
Resolving title…
learn.microsoft.com
MITRE ATT&CK

Other

attack.t1219.002
Related Rules
Similar

71ba22cb-8a01-42e2-a6dd-5bf9b547498f

Rule not found
Similar

7c4cf8e0-1362-48b2-a512-b606d2065d7d

Rule not found
Similar

ed785237-70fa-46f3-83b6-d264d1dc6eb4

Rule not found
Rule Metadata
Rule ID
4d07b1f4-cb00-4470-b9f8-b0191d48ff52
Status
test
Level
medium
Type
Detection
Created
Mon Jul 11
Modified
Tue Dec 17
Author
François Hubaut, Connor Martin
Path
rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml
Raw Tags
attack.command-and-controlattack.t1219.002
View on GitHub