Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

calendar Dec 12, 2025 · attack.command-and-control attack.t1105  ·
Share on: linkedin copy

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Sigma rule (View on GitHub)

 1title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
 2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 3status: test
 4description: |
 5        Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
 6references:
 7    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2017-03-19
10modified: 2025-12-10
11tags:
12    - attack.command-and-control
13    - attack.t1105
14logsource:
15    category: network_connection
16    product: windows
17detection:
18    selection:
19        Initiated: 'true'
20        Image|contains:
21            - ':\$Recycle.bin'
22            - ':\Perflogs\'
23            - ':\Temp\'
24            - ':\Users\Default\'
25            - ':\Users\Public\'
26            - ':\Windows\Fonts\'
27            - ':\Windows\IME\'
28            - ':\Windows\System32\Tasks\'
29            - ':\Windows\Tasks\'
30            - '\config\systemprofile\'
31            - '\Contacts\'
32            - '\Favorites\'
33            - '\Favourites\'
34            - '\Music\'
35            - '\Pictures\'
36            - '\Videos\'
37            - '\Windows\addins\'
38    filter_main_domains:
39        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
40        DestinationHostname|endswith:
41            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
42            - 'anonfiles.com'
43            - 'cdn.discordapp.com'
44            - 'ddns.net'
45            - 'dl.dropboxusercontent.com'
46            - 'ghostbin.co'
47            - 'github.com'
48            - 'glitch.me'
49            - 'gofile.io'
50            - 'hastebin.com'
51            - 'mediafire.com'
52            - 'mega.co.nz'
53            - 'mega.nz'
54            - 'onrender.com'
55            - 'pages.dev'
56            - 'paste.ee'
57            - 'pastebin.com'
58            - 'pastebin.pl'
59            - 'pastetext.net'
60            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
61            - 'privatlab.com'
62            - 'privatlab.net'
63            - 'send.exploit.in'
64            - 'sendspace.com'
65            - 'storage.googleapis.com'
66            - 'storjshare.io'
67            - 'supabase.co'
68            - 'temp.sh'
69            - 'transfer.sh'
70            - 'trycloudflare.com'
71            - 'ufile.io'
72            - 'w3spaces.com'
73            - 'workers.dev'
74    condition: selection and not 1 of filter_main_*
75falsepositives:
76    - Unknown
77level: high

References

Related rules

to-top