{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/supabase/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","OneDrive","Chrome","Opera","Fiddler","PowerToys","Vivaldi","Zen Browser","WaveBrowser","MicrosoftEdgeCP"],"_cs_severities":["low"],"_cs_tags":["command-and-control","webservice","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Google","BraveSoftware","Opera","Vivaldi","Wavesor Software","Discord","Telegram","Facebook","Trello","GitHub","Supabase"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).\u003c/li\u003e\n\u003cli\u003eThe malicious file executes a process outside of typical program directories (e.g., \u003ccode\u003eC:\\Windows\\Temp\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis process initiates a DNS query to a domain associated with a commonly abused web service (e.g., \u003ccode\u003epastebin.com\u003c/code\u003e, \u003ccode\u003egithubusercontent.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe DNS query resolves to an IP address, and a network connection is established to the web service.\u003c/li\u003e\n\u003cli\u003eThe malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Connection to Commonly Abused Web Services\u0026rdquo; to your SIEM and tune it for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the \u0026ldquo;DNS Query to Commonly Abused Web Services\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eReview and update the list of excluded processes in the Sigma rule to reflect your organization\u0026rsquo;s approved software and reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-common-web-services-c2/","summary":"This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.","title":"Detection of Command and Control Activity via Common Web Services","url":"https://feed.craftedsignal.io/briefs/2024-01-common-web-services-c2/"}],"language":"en","title":"CraftedSignal Threat Feed — Supabase","version":"https://jsonfeed.org/version/1.1"}