Dllhost.EXE Initiated Network Connection To Non-Local IP Address

calendar Mar 13, 2024 · attack.defense_evasion attack.t1218 attack.execution attack.t1559.001  ·
Share on: linkedin copy

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Sigma rule (View on GitHub)

 1title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 2id: cfed2f44-16df-4bf3-833a-79405198b277
 3status: test
 4description: |
 5    Detects dllhost initiating a network connection to a non-local IP address.
 6    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
 7    An initial baseline is recommended before deployment.    
 8references:
 9    - https://redcanary.com/blog/child-processes/
10    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
11author: bartblaze
12date: 2020/07/13
13modified: 2024/03/12
14tags:
15    - attack.defense_evasion
16    - attack.t1218
17    - attack.execution
18    - attack.t1559.001
19logsource:
20    category: network_connection
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\dllhost.exe'
25        Initiated: 'true'
26    filter_main_local_ranges:
27        DestinationIp|cidr:
28            - '::1/128'  # IPv6 loopback
29            - '10.0.0.0/8'
30            - '127.0.0.0/8'
31            - '172.16.0.0/12'
32            - '192.168.0.0/16'
33            - '169.254.0.0/16'
34            - 'fc00::/7'  # IPv6 private addresses
35            - 'fe80::/10'  # IPv6 link-local addresses
36    filter_main_msrange:
37        DestinationIp|cidr:
38            - '20.184.0.0/13' # Microsoft Corporation
39            - '20.192.0.0/10' # Microsoft Corporation
40            - '23.72.0.0/13'  # Akamai International B.V.
41            - '51.10.0.0/15'  # Microsoft Corporation
42            - '51.103.0.0/16' # Microsoft Corporation
43            - '51.104.0.0/15' # Microsoft Corporation
44            - '52.224.0.0/11'  # Microsoft Corporation
45            - '204.79.197.0/24' # Microsoft Corporation'
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - Communication to other corporate systems that use IP addresses from public address spaces
49level: medium

References

Related rules

to-top