Dllhost.EXE Initiated Network Connection To Non-Local IP Address

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Sigma rule (View on GitHub)

 1title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 2id: cfed2f44-16df-4bf3-833a-79405198b277
 3status: test
 4description: |
 5    Detects dllhost initiating a network connection to a non-local IP address.
 6    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
 7    An initial baseline is recommended before deployment.    
 8references:
 9    - https://redcanary.com/blog/child-processes/
10    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
11author: bartblaze
12date: 2020/07/13
13modified: 2024/01/31
14tags:
15    - attack.defense_evasion
16    - attack.t1218
17    - attack.execution
18    - attack.t1559.001
19logsource:
20    category: network_connection
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\dllhost.exe'
25        Initiated: 'true'
26    filter_main_ipv4:
27        DestinationIp|startswith:
28            - '10.'
29            - '192.168.'
30            - '172.16.'
31            - '172.17.'
32            - '172.18.'
33            - '172.19.'
34            - '172.20.'
35            - '172.21.'
36            - '172.22.'
37            - '172.23.'
38            - '172.24.'
39            - '172.25.'
40            - '172.26.'
41            - '172.27.'
42            - '172.28.'
43            - '172.29.'
44            - '172.30.'
45            - '172.31.'
46            - '169.254.'  # link-local address
47            - '127.'  # loopback address
48    filter_main_ipv6:
49        DestinationIp|startswith:
50            - '::1'  # IPv6 loopback variant
51            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
52            - 'fe80:'  # link-local address
53            - 'fc'  # private address range fc00::/7
54            - 'fd'  # private address range fc00::/7
55    filter_main_msrange:
56        DestinationIp|startswith:
57            - '20.184.'
58            - '20.185.'
59            - '20.186.'
60            - '20.187.'
61            - '20.188.'
62            - '20.189.'
63            - '20.190.'
64            - '20.191.'
65            - '20.223.'
66            - '23.79.'
67            - '51.10.'
68            - '51.103.'
69            - '51.104.'
70            - '51.105.'
71            - '52.239.'
72            - '204.79.197'
73    condition: selection and not 1 of filter_main_*
74falsepositives:
75    - Communication to other corporate systems that use IP addresses from public address spaces
76level: medium

References

Related rules

to-top