PowerToys — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/powertoys/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:00:00 +0000Detection of Command and Control Activity via Common Web Serviceshttps://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.This detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.

Attack Chain

  1. A user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).
  2. The malicious file executes a process outside of typical program directories (e.g., C:\Windows\Temp).
  3. This process initiates a DNS query to a domain associated with a commonly abused web service (e.g., pastebin.com, githubusercontent.com).
  4. The DNS query resolves to an IP address, and a network connection is established to the web service.
  5. The malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.
  6. The web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.
  7. The attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.

Impact

A successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.

Recommendation

  • Deploy the Sigma rule “Connection to Commonly Abused Web Services” to your SIEM and tune it for your environment to minimize false positives.
  • Enable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the “DNS Query to Commonly Abused Web Services” rule.
  • Investigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.
  • Review and update the list of excluded processes in the Sigma rule to reflect your organization’s approved software and reduce false positives.
]]>lowadvisorycommand-and-controlwebservicewindows