Update dns_query_win_remote_access_software_domains_non_browsers.yml

SigmaHQ · Dec 19, 2024 · 9ff8c92 · 9ff8c92
1 parent f99529b
commit 9ff8c92
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml
@@ -51,6 +51,7 @@ detection:
             - 'dwservice.net'
             - 'express.gotoassist.com'
             - 'getgo.com'
+            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
             - 'integratedchat.teamviewer.com'
             - 'join.zoho.com'
             - 'kickstart.jumpcloud.com'
@@ -79,7 +80,6 @@ detection:
             - 'tmate.io'
             - 'twingate.com'  # Scattered Spider threat group used this RMM tool
             - 'zohoassist.com'
-            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
     selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
         QueryName|endswith: '.rustdesk.com'
         QueryName|startswith: 'rs-'