Paste.ee — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/paste.ee/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:30:00 +0000Windows Hosts Querying Abused Web Serviceshttps://feed.craftedsignal.io/briefs/2024-01-windows-abused-web-services/Wed, 03 Jan 2024 15:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-windows-abused-web-services/Adversaries may use abused web services such as paste sites, VoIP, and file hosting to host malicious payloads or facilitate command and control, detected via DNS queries from Windows hosts to these services.This threat brief highlights the abuse of legitimate web services by threat actors to host and distribute malicious content, as well as to facilitate command and control (C2) activities. The activity is identified through DNS queries originating from Windows hosts to a list of known, abused web services, including paste sites (e.g., Pastebin), file hosting services (e.g., Mediafire), and cloud platforms (e.g., Cloudflare Workers). This technique allows attackers to evade traditional network-based detections by leveraging the reputation and infrastructure of these legitimate services. Detection is based on Sysmon Event ID 22 (DNS Query) logs. This is significant as it may indicate initial access, command and control or lateral movement within the network.

Attack Chain

  1. A user on a Windows host inadvertently clicks a malicious link or opens a compromised document.
  2. The malicious content triggers a process (e.g., PowerShell, cmd.exe) to execute.
  3. The executed process initiates a DNS query to a known, abused web service (e.g., pastebin.com, mega.nz) using Windows DNS client.
  4. The DNS query resolves to the IP address of the web service hosting the malicious payload or C2 instructions.
  5. The process establishes a network connection (HTTP/HTTPS) to the resolved IP address to download a file or receive commands.
  6. The downloaded file is saved to disk or executed directly in memory.
  7. The executed payload performs malicious activities, such as establishing persistence, exfiltrating data, or deploying additional malware.

Impact

Successful exploitation can lead to the initial compromise of a system, allowing attackers to establish a foothold within the network. This can result in data theft, deployment of ransomware, or further propagation of the attack to other systems on the network. Identifying systems making these queries can help identify compromised systems and prevent further damage.

Recommendation

  • Enable Sysmon DNS query logging (Event ID 22) to capture DNS requests for external domains.
  • Deploy the Sigma rule Detect Windows Abused Web Services DNS Queries to your SIEM and tune for your environment.
  • Monitor network traffic for connections to the domains listed in the IOC table and investigate any suspicious activity.
  • Implement network segmentation to limit the impact of a compromised host.
  • Block the C2 domains listed in the IOC table at the DNS resolver.
]]>mediumadvisoryabused-web-servicecommand-and-controlinitial-accesswindows