182. Adversaries Abuse Microsoft Dev Tunnels for C2
Hello everyone! We've talked a lot about abusing legitimate services for C2 channel. Let's look at another example worth a hunting query! According to this report , the adversary leveraged malicious Word documents to deliver a Havoc Demon. An interesting thing here is that the threat actor decided to use Microsoft dev tunnels for C2. Dev tunnels allow developers to share local web services across the internet securely. As you can see, not only developers. In this case the following domain was used: hxxp://djlmwd9b-80.euw.devtunnels[.]ms . And we can use it to build a query: event_type: "dnsreqwin" AND dns_rname: "devtunnels.ms" Other domains to consider: app.github.dev tunnels-prod-rel-tm.trafficmanager.net global.rel.tunnels.api.visualstudio.com See you tomorrow!