Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Sigma rule (View on GitHub)
1title: Outbound Network Connection Initiated By Microsoft Dialer
2id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
3status: test
4description: |
5 Detects outbound network connection initiated by Microsoft Dialer.
6 The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
7 This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
8references:
9 - https://tria.ge/240301-rk34sagf5x/behavioral2
10 - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
11 - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
12 - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
13author: CertainlyP
14date: 2024-04-26
15tags:
16 - attack.execution
17 - attack.command-and-control
18 - attack.t1071.001
19logsource:
20 category: network_connection
21 product: windows
22detection:
23 selection:
24 Image|endswith: ':\Windows\System32\dialer.exe'
25 Initiated: 'true'
26 filter_main_local_ranges:
27 DestinationIp|cidr:
28 - '127.0.0.0/8'
29 - '10.0.0.0/8'
30 - '172.16.0.0/12'
31 - '192.168.0.0/16'
32 - '169.254.0.0/16'
33 - '::1/128' # IPv6 loopback
34 - 'fe80::/10' # IPv6 link-local addresses
35 - 'fc00::/7' # IPv6 private addresses
36 condition: selection and not 1 of filter_main_*
37falsepositives:
38 - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
39level: high
References
-
Check this rhadamanthys report malware sample 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e, with a score of 10 out of 10.
Read More -
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More -
Research by: hasherezade Highlights Introduction Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design. In our last article on Rhadamanthys [1], we focused on the custom executable formats used by this malware and their similarity to a different family, Hidden Bee, which is most likely its predecessor. In […]
Read More -
Related rules
- Suspicious Installer Package Child Process
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Exploit Framework User Agent
- Cloudflared Tunnels Related DNS Requests
- DNS Query To Devtunnels Domain