Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 to detect DWservice #4438

Closed
nekopep opened this issue Sep 11, 2023 · 2 comments · Fixed by #4427
Closed

improve 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 to detect DWservice #4438

nekopep opened this issue Sep 11, 2023 · 2 comments · Fixed by #4427
Assignees
@nasbench
Labels
Rules

Comments

@nekopep
Copy link

nekopep commented Sep 11, 2023

Description of the Idea of the Rule

The rule 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 detects remote access software domain like teamviewer and anydesk.
There is a less known remote access software that is DWservice and that could be usefull to detect.
It provides remote desktop view, terminal access, files access under linux, windows, mac osx.

https://www.dwservice.net/fr/home.html
https://www.dwservice.net/fr/applications.html

Public References / Example Event Log

I suscessfully detected such access adding this domain:

        QueryName|endswith:
            - '.dwservice.net'

Here are some DNS I get from real detections:

//Usage of remote control (typically a node is accessed)
DNS Resolution
Requested domain name    res-node419012.dwservice.net
Query type  AAAA

//Access to the control interface
DNS Resolution
Requested domain name www.dwservice.net
Query type A
@nasbench nasbench self-assigned this Sep 11, 2023
@nasbench nasbench added Rules Work In Progress Some changes are needed labels Sep 11, 2023
@nasbench
Copy link
Member

Hey @nekopep thanks for the suggestion. Will look into this and see to add it to the rule to increase its coverage.

nasbench added a commit to nasbench/sigma that referenced this issue Sep 11, 2023
@nasbench
fix: closes SigmaHQ#4438
01d6414 
- This commit adds coverage for `dwservice.net` as suggested in issue SigmaHQ#4438
- Sorts the list of tlds
- Removes leading dots to avoid missing coverage
@nasbench
Copy link
Member

This now should be fixed in nasbench@01d6414. Added a public ref from MS for abuse . Thanks once again for the suggestion @nekopep

@nasbench nasbench removed the Work In Progress Some changes are needed label Sep 11, 2023
@nasbench nasbench mentioned this issue Sep 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Multiple Fixes & Enhancements nasbench/sigma
2 participants
@nekopep @nasbench