Name:Windows Abused Web Services id:01f0aef4-8591-4daa-a53d-0ed49823b681 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects a suspicious process making DNS queries to known, abused web services such as text-paste sites, VoIP, secure tunneling, instant messaging, and digital distribution platforms. This detection leverages Sysmon logs with Event ID 22, focusing on specific query names. This activity is significant as it may indicate an adversary attempting to download malicious files, a common initial access technique. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the target host. Data_source:
-Sysmon EventID 22
search:`sysmon` EventCode=22 QueryName IN ("*pastebin*",""*textbin*"", "*ngrok.io*", "*discord*", "*duckdns.org*", "*pasteio.com*") | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_abused_web_services_filter`
how_to_implement:This detection relies on sysmon logs with the Event ID 22, DNS Query. We suggest you run this detection at least once a day over the last 14 days. known_false_positives:Noise and false positive can be seen if the following instant messaging is allowed to use within corporate network. In this case, a filter is needed. References: -https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'NjRAT' - 'CISA AA24-241A' asset_type:Endpoint confidence:60 impact:60 message:a network connection on known abused web services from $dest$ mitre_attack_id: - 'T1102' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'process_name' type:'Process' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:36 required_fields: - '_time' - 'Image' - 'QueryName' - 'QueryStatus' - 'process_name' - 'QueryResults' - 'Computer' security_domain:endpoint
