Network Connections Where There Should Not Be (Notepad)
Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Network Connections Where There Should Not Be (Notepad)
2id: 6abd63f2-a8cc-40bc-b13b-7c60fa20b265
3status: experimental
4description: Looks for network connections from notepad. Inspired by the 2022 Red
5 Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/process-injection/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.privilege_escalation
12 - attack.t1055
13logsource:
14 category: network_connection
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\notepad.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high```
References
-
Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.
Read More
Related rules
- Suspicious Child Process Of Wermgr.EXE
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- APT PRIVATELOG Image Load Pattern
- Potential Dridex Activity