TheMask / Careto known command and control domains

Hunt Hypothesis

TheMask/Careto adversaries use known command and control domains to exfiltrate data and maintain persistent access to compromised systems. SOC teams should proactively hunt for these domains in Azure Sentinel to identify potential long-term persistence and data exfiltration activities early.

YARA Rule

rule Careto_CnC_domains 
{

    meta:
        author = "AlienVault (Alberto Ortega)"
        description = "TheMask / Careto known command and control domains"
        reference = "www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf"
        date = "2014/02/11"

    strings:
        $1 = "linkconf.net" ascii wide nocase
        $2 = "redirserver.net" ascii wide nocase
        $3 = "swupdt.com" ascii wide nocase

    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that connects to a domain used by TheMask/Careto for testing or documentation purposes.
  Filter/Exclusion: Check for task scheduler or schtasks.exe in the process tree, and exclude connections initiated by scheduled tasks with known maintenance names (e.g., SystemMaintenance).

• Scenario: Admin Remote Management via PowerShell
  Description: An administrator uses PowerShell to remotely manage a server, and the script connects to a domain that is mistakenly listed in the C2 domain list.
  Filter/Exclusion: Filter connections where the process is powershell.exe and the user is a domain admin (e.g., [email protected]), or check for Invoke-Command or Enter-PSSession in the command line.

• Scenario: Legitimate Software Update Check
  Description: A legitimate software update service (e.g., Microsoft Update, Adobe Update) connects to a domain that is falsely identified as a C2 server.
  Filter/Exclusion: Exclude connections to domains associated with known software vendors (e.g., update.microsoft.com, adobe.com) or filter by HTTP status codes (e.g., 200 OK for successful updates).

• Scenario: Network Monitoring Tool Traffic
  Description: A network monitoring tool (e.g., Wireshark, PRTG) connects to a domain for logging or data collection, which is mistakenly flagged as a C2 server.
  Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., wireshark.exe, prtg_agent.exe) or filter by process names and user context (e.g., [email protected]).

• Scenario: False Positive from Threat Intelligence Feed
  Description: A threat intelligence feed incorrectly