Suspicious Typical Malware Back Connect Ports
Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
Sigma rule (View on GitHub)
1title: Suspicious Typical Malware Back Connect Ports
2id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
3status: test
4description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
5references:
6 - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
7author: Florian Roth (Nextron Systems)
8date: 2017/03/19
9modified: 2023/05/02
10tags:
11 - attack.persistence
12 - attack.command_and_control
13 - attack.t1571
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: 'true'
20 DestinationPort:
21 - 100
22 - 198
23 - 200
24 - 243
25 - 473
26 - 666
27 - 700
28 - 743
29 - 777
30 - 1443
31 - 1515
32 - 1777
33 - 1817
34 - 1904
35 - 1960
36 - 2443
37 - 2448
38 - 3360
39 - 3675
40 - 3939
41 - 4040
42 - 4433
43 - 4438
44 - 4443
45 - 4444
46 - 4455
47 - 5445
48 - 5552
49 - 5649
50 - 6625
51 - 7210
52 - 8080
53 - 8143
54 - 8843
55 - 8888
56 - 9631
57 - 9943
58 - 10101
59 - 12102
60 - 12103
61 - 12322
62 - 13145
63 - 13394
64 - 13504
65 - 13505
66 - 13506
67 - 13507
68 - 14102
69 - 14103
70 - 14154
71 - 49180
72 - 65520
73 - 65535
74 filter_optional_sys_directories:
75 Image|startswith:
76 - 'C:\Program Files\'
77 - 'C:\Program Files (x86)\'
78 filter_main_local_ips:
79 DestinationIp|startswith:
80 - '10.'
81 - '127.'
82 - '172.16.'
83 - '172.17.'
84 - '172.18.'
85 - '172.19.'
86 - '172.20.'
87 - '172.21.'
88 - '172.22.'
89 - '172.23.'
90 - '172.24.'
91 - '172.25.'
92 - '172.26.'
93 - '172.27.'
94 - '172.28.'
95 - '172.29.'
96 - '172.30.'
97 - '172.31.'
98 - '192.168.'
99 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
100falsepositives:
101 - Unknown
102level: medium