Suspicious Network Connections (RedCanary Threat Detection Report)
Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Suspicious Network Connections (RedCanary Threat Detection Report)
2id: f3b0b17c-0e4b-45e5-b88e-521d2c3f6ae1
3status: experimental
4description: Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/process-injection/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.privilege_escalation
11 - attack.t1055
12logsource:
13 category: network_connection
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\notepad.exe'
18 condition: selection
19falsepositives:
20 - Unknown
21level: low```
References
-
Process Injection enables adversaries to execute potentially suspicious processes in the context of seemingly benign ones.
Read More
Related rules
- Powershell Injecting Into Anything (RedCanary Threat Detection Report)
- Process Executing Sans Command Line (RedCanary Threat Detection Report)
- PowerShell Injecting into Other Process
- Process Execution sans Command Lines
- Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)