Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

calendar May 31, 2024 · attack.command_and_control attack.t1105  ·
Share on: linkedin copy

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Sigma rule (View on GitHub)

 1title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
 2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 3status: test
 4description: |
 5        Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
 6references:
 7    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2017/03/19
10modified: 2024/05/31
11tags:
12    - attack.command_and_control
13    - attack.t1105
14logsource:
15    category: network_connection
16    product: windows
17detection:
18    selection:
19        Initiated: 'true'
20        Image|contains:
21            - ':\$Recycle.bin'
22            - ':\Perflogs\'
23            - ':\Temp\'
24            - ':\Users\Default\'
25            - ':\Windows\Fonts\'
26            - ':\Windows\IME\'
27            - ':\Windows\System32\Tasks\'
28            - ':\Windows\Tasks\'
29            - '\config\systemprofile\'
30            - '\Windows\addins\'
31    filter_main_domains:
32        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
33        DestinationHostname|endswith:
34            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
35            - 'anonfiles.com'
36            - 'cdn.discordapp.com'
37            - 'cdn.discordapp.com/attachments/'
38            - 'ddns.net'
39            - 'dl.dropboxusercontent.com'
40            - 'ghostbin.co'
41            - 'glitch.me'
42            - 'gofile.io'
43            - 'hastebin.com'
44            - 'mediafire.com'
45            - 'mega.co.nz'
46            - 'mega.nz'
47            - 'onrender.com'
48            - 'paste.ee'
49            - 'pastebin.com'
50            - 'pastebin.pl'
51            - 'pastetext.net'
52            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
53            - 'privatlab.com'
54            - 'privatlab.net'
55            - 'send.exploit.in'
56            - 'sendspace.com'
57            - 'storage.googleapis.com'
58            - 'storjshare.io'
59            - 'supabase.co'
60            - 'temp.sh'
61            - 'transfer.sh'
62            - 'ufile.io'
63    condition: selection and not 1 of filter_main_*
64falsepositives:
65    - Unknown
66level: high

References

  • Malware Back Connect Ports - Google Drive

    1 Dest PortCount 1Count 2Level False Positive Condition Positive ConditionComment / SourceSandbox Analyses LinkSpeedguide Link 2 3369-1highNetwire http://www.speedguide.net/port.php?port=3369 3 876...


    Read More

Related rules

to-top