From e8a6894eca1a86d10ce7601eb29aece905a7cdc2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 19 Dec 2024 20:38:44 +0100 Subject: [PATCH] Merge PR #5132 from @Neo23x0 - Update `DNS Query To Remote Access Software Domain From Non-Browser App` update: DNS Query To Remote Access Software Domain From Non-Browser App - Add `getscreen.me` --------- Co-authored-by: Nasreddine Bencherchali --- ...s_query_win_remote_access_software_domains_non_browsers.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 0d00207add1..78e12bf5c59 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -23,7 +23,7 @@ references: - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization author: frack113, Connor Martin date: 2022-07-11 -modified: 2024-09-13 +modified: 2024-12-17 tags: - attack.command-and-control - attack.t1219 @@ -51,6 +51,7 @@ detection: - 'dwservice.net' - 'express.gotoassist.com' - 'getgo.com' + - 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w - 'integratedchat.teamviewer.com' - 'join.zoho.com' - 'kickstart.jumpcloud.com'