{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/glitch.me/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["githubusercontent.com","anonfiles.com","argotunnel.com","cdn.discordapp.com","ddns.net","dl.dropboxusercontent.com","duckdns.org","ghostbin.co","glitch.me","gofile.io","hastebin.com","mediafire.com","mega.nz","ngrok.io","onrender.com","pages.dev","paste.ee","pastebin.com","pastebin.pl","pasteio.com","pastetext.net","privatlab.com","privatlab.net","send.exploit.in","sendspace.com","storage.googleapis.com","storjshare.io","supabase.co","temp.sh","textbin","transfer.sh","trycloudflare.com","ufile.io","w3spaces.com","workers.dev"],"_cs_severities":["medium"],"_cs_tags":["abused-web-service","command-and-control","initial-access","windows"],"_cs_type":"advisory","_cs_vendors":["GitHub","Dropbox","NGROK","Cloudflare","Google"],"content_html":"\u003cp\u003eThis threat brief highlights the abuse of legitimate web services by threat actors to host and distribute malicious content, as well as to facilitate command and control (C2) activities. The activity is identified through DNS queries originating from Windows hosts to a list of known, abused web services, including paste sites (e.g., Pastebin), file hosting services (e.g., Mediafire), and cloud platforms (e.g., Cloudflare Workers). This technique allows attackers to evade traditional network-based detections by leveraging the reputation and infrastructure of these legitimate services. Detection is based on Sysmon Event ID 22 (DNS Query) logs. This is significant as it may indicate initial access, command and control or lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host inadvertently clicks a malicious link or opens a compromised document.\u003c/li\u003e\n\u003cli\u003eThe malicious content triggers a process (e.g., PowerShell, cmd.exe) to execute.\u003c/li\u003e\n\u003cli\u003eThe executed process initiates a DNS query to a known, abused web service (e.g., pastebin.com, mega.nz) using Windows DNS client.\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to the IP address of the web service hosting the malicious payload or C2 instructions.\u003c/li\u003e\n\u003cli\u003eThe process establishes a network connection (HTTP/HTTPS) to the resolved IP address to download a file or receive commands.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk or executed directly in memory.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious activities, such as establishing persistence, exfiltrating data, or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the initial compromise of a system, allowing attackers to establish a foothold within the network. This can result in data theft, deployment of ransomware, or further propagation of the attack to other systems on the network. Identifying systems making these queries can help identify compromised systems and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon DNS query logging (Event ID 22) to capture DNS requests for external domains.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Abused Web Services DNS Queries\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the domains listed in the IOC table and investigate any suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised host.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains listed in the IOC table at the DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-windows-abused-web-services/","summary":"Adversaries may use abused web services such as paste sites, VoIP, and file hosting to host malicious payloads or facilitate command and control, detected via DNS queries from Windows hosts to these services.","title":"Windows Hosts Querying Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-abused-web-services/"}],"language":"en","title":"CraftedSignal Threat Feed — Glitch.me","version":"https://jsonfeed.org/version/1.1"}