Skip to content
Threat Feed
high advisory

Windows Hosts Querying Abused Web Services

Suspicious processes on Windows hosts are making DNS queries to known, abused web services such as text-paste sites, file sharing platforms, and tunneling services, potentially indicating malware downloading or command and control activity.

This threat brief highlights the use of legitimate web services for malicious purposes. Attackers often leverage these services to host malware, exfiltrate data, or establish command and control (C2) channels. This activity focuses on detecting suspicious processes making DNS queries to domains associated with services like pastebin.com, mediafire.com, and ngrok.io. These services are abused due to their widespread use and the trust often placed in them, making it easier for attackers to blend in with normal network traffic. The increased use of such services in malicious campaigns necessitates proactive detection and monitoring. The scope of targeting includes any Windows endpoint within an organization's network. This activity is commonly seen across various malware families.

Attack Chain

  1. A user clicks a malicious link or opens a compromised document (not directly observed in source).
  2. The compromised document executes a malicious script, such as PowerShell, via cmd.exe.
  3. The script initiates a DNS query to a known, abused web service, like pastebin.com, using Windows DNS client.
  4. The attacker retrieves a payload or configuration from the web service via HTTP or HTTPS.
  5. The script downloads and executes the payload in memory or on disk.
  6. The payload establishes persistence and begins beaconing to a command-and-control server, potentially using ngrok.io for tunneling.
  7. The attacker uses the C2 channel to send commands and exfiltrate sensitive data or deploy additional malware.
  8. The attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.

Impact

Successful exploitation can lead to various detrimental outcomes. Malware infections can disrupt business operations, resulting in financial losses and reputational damage. Data exfiltration can compromise sensitive information, leading to legal and regulatory penalties. Ransomware deployment can encrypt critical files, holding the organization hostage. The wide range of services abused makes detection challenging but crucial. The impact can range from a single compromised host to a full-scale network breach.

Recommendation

  • Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events (reference: description, search query).
  • Deploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment's baseline (reference: rules).
  • Review and update firewall rules to restrict access to known abused web services if they are not required for business operations (reference: iocs).
  • Investigate any alerts generated by these rules to identify and remediate potentially compromised hosts (reference: rules).

Detection coverage 2

Detect DNS Queries to Known Abused Web Services

medium

Detects processes making DNS queries to domains associated with abused web services.

sigma tactics: command_and_control techniques: T1102 sources: dns_query, windows

Suspicious Process Accessing Abused Web Services

medium

Detects unusual processes making connections to abused web services

sigma tactics: command_and_control techniques: T1102 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

33

domain

TypeValue
domainobjects.githubusercontent.com
domainanonfiles.com
domaincdn.discordapp.com
domainddns.net
domaindl.dropboxusercontent.com
domainduckdns.org
domainghostbin.co
domainglitch.me
domaingofile.io
domainhastebin.com
domainmediafire.com
domainmega.nz
domainngrok.io
domainonrender.com
domainpages.dev
domainpaste.ee
domainpastebin.com
domainpastebin.pl
domainpasteio.com
domainpastetext.net
domainprivatlab.com
domainprivatlab.net
domainsend.exploit.in
domainsendspace.com
domainstorage.googleapis.com
domainstorjshare.io
domainsupabase.co
domaintemp.sh
domaintransfer.sh
domaintrycloudflare.com
domainufile.io
domainw3spaces.com
domainworkers.dev