Closed Mahir-Ali-khan closed 2 months ago
Added domain tailscale.com and twingate.com which was observed in below report and was abused by threat group Scattered Spider https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a https://blog.sekoia.io/scattered-spider-laying-new-eggs/ Added domain remoteassistance.support.services.microsoft.com this help us to monitor when quick assist application was used to create remote connection. https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add remoteassistance.support.services.microsoft.com, tailscale.com, twingate.com
remoteassistance.support.services.microsoft.com
tailscale.com
twingate.com
N/A
Summary of the Pull Request
Added domain tailscale.com and twingate.com which was observed in below report and was abused by threat group Scattered Spider https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a https://blog.sekoia.io/scattered-spider-laying-new-eggs/ Added domain remoteassistance.support.services.microsoft.com this help us to monitor when quick assist application was used to create remote connection. https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
Changelog
update: DNS Query To Remote Access Software Domain From Non-Browser App - Add
remoteassistance.support.services.microsoft.com,tailscale.com,twingate.comExample Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions