Suspicious Process DNS Queries to Known Abuse Web Services
This analytic detects suspicious processes such as cmd.exe and powershell.exe making DNS queries to known, abused web services like Pastebin, Discord, and Telegram, potentially indicating malicious file downloads for initial access.
This detection identifies suspicious process behavior related to DNS queries targeting web services known for abuse. It specifically focuses on processes like cmd.exe, powershell.exe, and scripting hosts resolving domains associated with text-paste services (e.g., Pastebin), VoIP platforms (e.g., Discord), instant messaging (e.g., Telegram), and digital distribution platforms. The activity is flagged as suspicious due to the potential for malicious actors to leverage these services for command and control (C2) communication, hosting malicious payloads, or distributing malware downloaders. Successful exploitation can lead to unauthorized code execution, data exfiltration, and system compromise. This activity began being tracked in early 2022 with malware like WhisperGate using similar methods.
Attack Chain
- A user inadvertently executes a malicious document or script delivered via phishing or other means.
- The malicious script (e.g., PowerShell) is launched, often from a compromised process like a macro-enabled Office document.
- The script initiates a DNS query to a Pastebin-like service to retrieve a malicious payload or further instructions using
QueryName IN ("*pastebin*", "*discord*", "*api.telegram*","*t.me*"). - The script downloads the payload from the web service using tools like
powershell.exeorcmd.exe. - The downloaded payload is executed, potentially leading to further exploitation.
- The payload establishes persistence through scheduled tasks or registry modifications.
- The compromised system communicates with a command and control (C2) server to receive further instructions.
- The attacker performs lateral movement and data exfiltration.
Impact
Successful exploitation can lead to the execution of malicious code, data exfiltration, or ransomware deployment. Victims may experience data loss, system instability, and financial losses due to incident response and recovery efforts. This technique has been observed in various malware campaigns, including those distributing stealers, keyloggers, and ransomware, impacting organizations across multiple sectors. The WhisperGate malware, for example, used similar techniques to target Ukrainian organizations.
Recommendation
- Enable Sysmon Event ID 22 (DNS Query) logging on all endpoints to provide the data source for the provided Sigma rules.
- Deploy the provided Sigma rule
Suspicious Process DNS Query Known Abuse Web Servicesto your SIEM and tune theprocess_nameandImagefilters for your environment. - Investigate any alerts triggered by the provided Sigma rules, prioritizing those involving processes running from unusual locations like
\users\public\,\programdata\,\temp\,\Windows\Tasks\,\appdata\, or\perflogs\. - Block access to the URL listed in the IOC table,
https://urlhaus.abuse.ch/url/1798923/, at your network perimeter to prevent access to potentially malicious content.
Detection coverage 2
Suspicious Process DNS Query Known Abuse Web Services
highDetects suspicious processes making DNS queries to known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms.
Suspicious Process Image DNS Query Known Abuse Web Services
mediumDetects suspicious processes with images from unusual locations making DNS queries to known, abused web services, VoIP, instant messaging, and digital distribution platforms.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | https://urlhaus.abuse.ch/url/1798923/ |