Windows Hosts Querying Abused Web Services
Adversaries may use abused web services such as paste sites, VoIP, and file hosting to host malicious payloads or facilitate command and control, detected via DNS queries from Windows hosts to these services.
This threat brief highlights the abuse of legitimate web services by threat actors to host and distribute malicious content, as well as to facilitate command and control (C2) activities. The activity is identified through DNS queries originating from Windows hosts to a list of known, abused web services, including paste sites (e.g., Pastebin), file hosting services (e.g., Mediafire), and cloud platforms (e.g., Cloudflare Workers). This technique allows attackers to evade traditional network-based detections by leveraging the reputation and infrastructure of these legitimate services. Detection is based on Sysmon Event ID 22 (DNS Query) logs. This is significant as it may indicate initial access, command and control or lateral movement within the network.
Attack Chain
- A user on a Windows host inadvertently clicks a malicious link or opens a compromised document.
- The malicious content triggers a process (e.g., PowerShell, cmd.exe) to execute.
- The executed process initiates a DNS query to a known, abused web service (e.g., pastebin.com, mega.nz) using Windows DNS client.
- The DNS query resolves to the IP address of the web service hosting the malicious payload or C2 instructions.
- The process establishes a network connection (HTTP/HTTPS) to the resolved IP address to download a file or receive commands.
- The downloaded file is saved to disk or executed directly in memory.
- The executed payload performs malicious activities, such as establishing persistence, exfiltrating data, or deploying additional malware.
Impact
Successful exploitation can lead to the initial compromise of a system, allowing attackers to establish a foothold within the network. This can result in data theft, deployment of ransomware, or further propagation of the attack to other systems on the network. Identifying systems making these queries can help identify compromised systems and prevent further damage.
Recommendation
- Enable Sysmon DNS query logging (Event ID 22) to capture DNS requests for external domains.
- Deploy the Sigma rule
Detect Windows Abused Web Services DNS Queriesto your SIEM and tune for your environment. - Monitor network traffic for connections to the domains listed in the IOC table and investigate any suspicious activity.
- Implement network segmentation to limit the impact of a compromised host.
- Block the C2 domains listed in the IOC table at the DNS resolver.
Detection coverage 2
Detect Windows Abused Web Services DNS Queries
mediumDetects DNS queries to known abused web services from Windows hosts.
Detect Process Accessing Abused Web Services
mediumDetects processes making network connections to known abused web services.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
34
domain
| Type | Value |
|---|---|
| domain | objects.githubusercontent.com |
| domain | anonfiles.com |
| domain | argotunnel.com |
| domain | cdn.discordapp.com |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | duckdns.org |
| domain | ghostbin.co |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | ngrok.io |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pasteio.com |
| domain | pastetext.net |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |