Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Sigma rule (View on GitHub)

 1title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
 2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 3status: test
 4description: |
 5        Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
 6references:
 7    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2017-03-19
10modified: 2024-08-22
11tags:
12    - attack.command-and-control
13    - attack.t1105
14logsource:
15    category: network_connection
16    product: windows
17detection:
18    selection:
19        Initiated: 'true'
20        Image|contains:
21            - ':\$Recycle.bin'
22            - ':\Perflogs\'
23            - ':\Temp\'
24            - ':\Users\Default\'
25            - ':\Windows\Fonts\'
26            - ':\Windows\IME\'
27            - ':\Windows\System32\Tasks\'
28            - ':\Windows\Tasks\'
29            - '\config\systemprofile\'
30            - '\Windows\addins\'
31    filter_main_domains:
32        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
33        DestinationHostname|endswith:
34            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
35            - 'anonfiles.com'
36            - 'cdn.discordapp.com'
37            - 'ddns.net'
38            - 'dl.dropboxusercontent.com'
39            - 'ghostbin.co'
40            - 'glitch.me'
41            - 'gofile.io'
42            - 'hastebin.com'
43            - 'mediafire.com'
44            - 'mega.co.nz'
45            - 'mega.nz'
46            - 'onrender.com'
47            - 'pages.dev'
48            - 'paste.ee'
49            - 'pastebin.com'
50            - 'pastebin.pl'
51            - 'pastetext.net'
52            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
53            - 'privatlab.com'
54            - 'privatlab.net'
55            - 'send.exploit.in'
56            - 'sendspace.com'
57            - 'storage.googleapis.com'
58            - 'storjshare.io'
59            - 'supabase.co'
60            - 'temp.sh'
61            - 'transfer.sh'
62            - 'trycloudflare.com'
63            - 'ufile.io'
64            - 'w3spaces.com'
65            - 'workers.dev'
66    condition: selection and not 1 of filter_main_*
67falsepositives:
68    - Unknown
69level: high

References

Related rules

to-top