Windows Hosts Querying Abused Web Services
Suspicious processes on Windows hosts are making DNS queries to known, abused web services such as text-paste sites, file sharing platforms, and tunneling services, potentially indicating malware downloading or command and control activity.
This threat brief highlights the use of legitimate web services for malicious purposes. Attackers often leverage these services to host malware, exfiltrate data, or establish command and control (C2) channels. This activity focuses on detecting suspicious processes making DNS queries to domains associated with services like pastebin.com, mediafire.com, and ngrok.io. These services are abused due to their widespread use and the trust often placed in them, making it easier for attackers to blend in with normal network traffic. The increased use of such services in malicious campaigns necessitates proactive detection and monitoring. The scope of targeting includes any Windows endpoint within an organization's network. This activity is commonly seen across various malware families.
Attack Chain
- A user clicks a malicious link or opens a compromised document (not directly observed in source).
- The compromised document executes a malicious script, such as PowerShell, via
cmd.exe. - The script initiates a DNS query to a known, abused web service, like
pastebin.com, using Windows DNS client. - The attacker retrieves a payload or configuration from the web service via HTTP or HTTPS.
- The script downloads and executes the payload in memory or on disk.
- The payload establishes persistence and begins beaconing to a command-and-control server, potentially using
ngrok.iofor tunneling. - The attacker uses the C2 channel to send commands and exfiltrate sensitive data or deploy additional malware.
- The attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.
Impact
Successful exploitation can lead to various detrimental outcomes. Malware infections can disrupt business operations, resulting in financial losses and reputational damage. Data exfiltration can compromise sensitive information, leading to legal and regulatory penalties. Ransomware deployment can encrypt critical files, holding the organization hostage. The wide range of services abused makes detection challenging but crucial. The impact can range from a single compromised host to a full-scale network breach.
Recommendation
- Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events (reference: description, search query).
- Deploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment's baseline (reference: rules).
- Review and update firewall rules to restrict access to known abused web services if they are not required for business operations (reference: iocs).
- Investigate any alerts generated by these rules to identify and remediate potentially compromised hosts (reference: rules).
Detection coverage 2
Detect DNS Queries to Known Abused Web Services
mediumDetects processes making DNS queries to domains associated with abused web services.
Suspicious Process Accessing Abused Web Services
mediumDetects unusual processes making connections to abused web services
Detection queries are available on the platform. Get full rules →
Indicators of compromise
33
domain
| Type | Value |
|---|---|
| domain | objects.githubusercontent.com |
| domain | anonfiles.com |
| domain | cdn.discordapp.com |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | duckdns.org |
| domain | ghostbin.co |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | ngrok.io |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pasteio.com |
| domain | pastetext.net |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |