Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Sigma rule (View on GitHub)
1title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
3status: test
4description: |
5 Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
6references:
7 - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2017-03-19
10modified: 2024-08-22
11tags:
12 - attack.command-and-control
13 - attack.t1105
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: 'true'
20 Image|contains:
21 - ':\$Recycle.bin'
22 - ':\Perflogs\'
23 - ':\Temp\'
24 - ':\Users\Default\'
25 - ':\Windows\Fonts\'
26 - ':\Windows\IME\'
27 - ':\Windows\System32\Tasks\'
28 - ':\Windows\Tasks\'
29 - '\config\systemprofile\'
30 - '\Windows\addins\'
31 filter_main_domains:
32 # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
33 DestinationHostname|endswith:
34 - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
35 - 'anonfiles.com'
36 - 'cdn.discordapp.com'
37 - 'ddns.net'
38 - 'dl.dropboxusercontent.com'
39 - 'ghostbin.co'
40 - 'glitch.me'
41 - 'gofile.io'
42 - 'hastebin.com'
43 - 'mediafire.com'
44 - 'mega.co.nz'
45 - 'mega.nz'
46 - 'onrender.com'
47 - 'pages.dev'
48 - 'paste.ee'
49 - 'pastebin.com'
50 - 'pastebin.pl'
51 - 'pastetext.net'
52 - 'portmap.io' # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
53 - 'privatlab.com'
54 - 'privatlab.net'
55 - 'send.exploit.in'
56 - 'sendspace.com'
57 - 'storage.googleapis.com'
58 - 'storjshare.io'
59 - 'supabase.co'
60 - 'temp.sh'
61 - 'transfer.sh'
62 - 'trycloudflare.com'
63 - 'ufile.io'
64 - 'w3spaces.com'
65 - 'workers.dev'
66 condition: selection and not 1 of filter_main_*
67falsepositives:
68 - Unknown
69level: high
References
Related rules
- Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
- AppX Package Installation Attempts Via AppInstaller.EXE
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data