Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Sigma rule (View on GitHub)
1title: Outbound Network Connection Initiated By Microsoft Dialer
2id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
3status: experimental
4description: |
5 Detects outbound network connection initiated by Microsoft Dialer.
6 The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
7 This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
8references:
9 - https://tria.ge/240301-rk34sagf5x/behavioral2
10 - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
11 - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
12 - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
13author: CertainlyP
14date: 2024-04-26
15tags:
16 - attack.execution
17 - attack.t1071.001
18logsource:
19 category: network_connection
20 product: windows
21detection:
22 selection:
23 Image|endswith: ':\Windows\System32\dialer.exe'
24 Initiated: 'true'
25 filter_main_local_ranges:
26 DestinationIp|cidr:
27 - '127.0.0.0/8'
28 - '10.0.0.0/8'
29 - '172.16.0.0/12'
30 - '192.168.0.0/16'
31 - '169.254.0.0/16'
32 - '::1/128' # IPv6 loopback
33 - 'fe80::/10' # IPv6 link-local addresses
34 - 'fc00::/7' # IPv6 private addresses
35 condition: selection and not 1 of filter_main_*
36falsepositives:
37 - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
38level: high
References
-
Check this rhadamanthys report malware sample 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e, with a score of 10 out of 10.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Research by: hasherezade Highlights Introduction Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design. In our last article on Rhadamanthys [1], we focused on the custom executable formats used by this malware and their similarity to a different family, Hidden Bee, which is most likely its predecessor. In […]
Read More -
Related rules
- Suspicious Installer Package Child Process
- Ursnif Malware C2 URL Pattern
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType