Detection of Command and Control Activity via Common Web Services

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This detection rule, sourced from Elastic, identifies potential command and control (C2) activity by detecting connections to commonly abused web services. Adversaries often leverage popular web services like pastebin, GitHub, Dropbox, and Discord to mask malicious communications within legitimate network traffic. This technique makes it challenging for defenders to distinguish between normal user activity and malicious C2 traffic. The rule focuses on Windows systems and monitors DNS queries to identify processes communicating with a predefined list of services known to be abused by attackers. The rule was last updated on 2026-05-04 and is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. The goal is to identify anomalous network connections originating from unusual processes.

Attack Chain

A user on a Windows host unknowingly executes a malicious file (e.g., via phishing or drive-by download).
The malicious file executes a process outside of typical program directories (e.g., C:\Windows\Temp).
This process initiates a DNS query to a domain associated with a commonly abused web service (e.g., pastebin.com, githubusercontent.com).
The DNS query resolves to an IP address, and a network connection is established to the web service.
The malicious process uploads or downloads data from the web service, potentially containing commands for the compromised host or exfiltrated data.
The web service acts as an intermediary, relaying commands from the attacker to the compromised host or exfiltrated data from the compromised host to the attacker.
The attacker uses the C2 channel to perform further actions on the compromised host, such as lateral movement or data theft.

Impact

A successful attack using common web services for C2 can lead to data exfiltration, system compromise, and further propagation within the network. The low severity suggests a focus on detecting early-stage C2 activity, which if left unchecked, could escalate into a significant incident. The usage of popular web services makes detection difficult, requiring careful analysis and tuning to avoid false positives.

Recommendation

Deploy the Sigma rule “Connection to Commonly Abused Web Services” to your SIEM and tune it for your environment to minimize false positives.
Enable Sysmon DNS query logging to accurately capture DNS requests for improved detection capabilities, activating the “DNS Query to Commonly Abused Web Services” rule.
Investigate any alerts generated by this rule, focusing on the process execution chain and network connections to determine the legitimacy of the activity, referencing the investigation steps described in the rule documentation.
Review and update the list of excluded processes in the Sigma rule to reflect your organization’s approved software and reduce false positives.

RMM Domain DNS Queries from Non-Browser Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
The attacker installs an unauthorized RMM tool (e.g., using a script or installer).
The RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).
The system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.
The attacker uses the RMM tool to execute commands on the compromised system.
The attacker uses the RMM tool for lateral movement within the network.
The attacker uses the RMM tool to maintain persistence on the compromised system.

Impact

Compromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

Deploy the Sigma rule RMM Domain DNS Queries from Non-Browser Processes to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.
Investigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule’s description.
Monitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.
Enable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the “Setup” section of the content.

Vivaldi — CraftedSignal Threat Feed

Detection of Command and Control Activity via Common Web Services

Attack Chain

Impact

Recommendation

RMM Domain DNS Queries from Non-Browser Processes

Attack Chain

Impact

Recommendation