Suspicious Process DNS Query Known Abuse Web Services

[cY83rR0H1t]

Description of the Idea of the Rule

A suspicious process engaging in a DNS query has been identified through the analysis of known-abuse web services. This analytical approach detects questionable activities involving text-paste web services, VoIP, instant messaging, and digital distribution platforms, commonly exploited by adversaries, malware actors, and red teams. This technique is often utilized to either download malicious files or function as a Command and Control (C2) server.

Public References / Example Event Log

title: Suspicious Process DNS Query Known Abuse Web Services
id: a0a3e36d-23e2-4199-a681-1f56b3c75f14
status: stable
references:
    - https://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html
author: Rohit Jain
date: 2024/03/01
tags:
    - attack.T1059
    - atatck.execution
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|contains:
            - pastebin
            - discord
            - api.telegram
            - t.me
        Image|endswith|contains:
            - \cmd.exe
            - \powershell.exe
            - \pwsh.exe
            - \wscript.exe
            - \cscript.exe
    selection2:
        QueryName|contains:
            - pastebin
            - discord
            - api.telegram
            - t.me
        Image|contains:
            - (?i)\\users\\public\\.*
            - (?i)\\programdata\\.*
            - (?i)\\temp\\.*
            - (?i)\\Windows\\Tasks\\.*
            - (?i)\\appdata\\.*
            - (?i)\\perflogs\\.*
    condition: selection1 or selection2
falsepositives:
    - Unknown
level: medium