Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Detects an executable in the Windows folder accessing suspicious domains

Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement

Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2

Detects a network connection initiated by the certutil.exe tool. Attackers can abuse the utility in order to download malware or additional payloads.

Detects initiated network connections to crypto mining pools

Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

Detects a rundll32 that communicates with public IP addresses

Detects suspicious network connection by Cmstp

Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Detects network connections from Equation Editor

Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files

Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Detects an executable that isn't dropbox but communicates with the Dropbox API

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

Detects programs with network connections running in suspicious files system locations

Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Use IMEWDBLD.exe (built-in to windows) to download a file

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Detects Dllhost that communicates with public IP addresses

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Detects suspicious network connection by Notepad

Detects network connections and DNS queries initiated by Regsvr32.exe

Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.

Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.

Detects a possible remote connections to Silenttrinity c2

Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.