Skip to content

Commit

Permalink
Merge PR SigmaHQ#4980 from @Mahir-Ali-khan - Update `DNS Query To Rem…
Browse files Browse the repository at this point in the history 
…ote Access Software Domain From Non-Browser App`

update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `remoteassistance.support.services.microsoft.com`, `tailscale.com`, `twingate.com` 

---------

Co-authored-by: nasbench <[email protected]>
  • Loading branch information
@Mahir-Ali-khan @nasbench
Mahir-Ali-khan and nasbench authored Sep 13, 2024
1 parent 71be3c7 commit 99a47e4
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,12 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2023-09-12
modified: 2024-09-13
tags:
- attack.command-and-control
- attack.t1219
Expand Down Expand Up @@ -63,15 +66,18 @@ detection:
- 'relay.kaseya.net'
- 'relay.screenconnect.com'
- 'relay.splashtop.com'
- 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
- 'remotedesktop-pa.googleapis.com'
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- 'secure.logmeinrescue.com'
- 'services.vnc.com'
- 'static.remotepc.com'
- 'swi-rc.com'
- 'swi-tc.com'
- 'tailscale.com' # Scattered Spider threat group used this RMM tool
- 'telemetry.servers.qetqo.com'
- 'tmate.io'
- 'twingate.com' # Scattered Spider threat group used this RMM tool
- 'zohoassist.com'
selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
QueryName|endswith: '.rustdesk.com'
Expand Down

0 comments on commit 99a47e4

Please sign in to comment.