Potentially Suspicious Malware Callback Communication

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

Sigma rule (View on GitHub)

  1title: Potentially Suspicious Malware Callback Communication
  2id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
  3related:
  4    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
  5      type: similar
  6status: test
  7description: |
  8        Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
  9references:
 10    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 11author: Florian Roth (Nextron Systems)
 12date: 2017/03/19
 13modified: 2023/12/11
 14tags:
 15    - attack.persistence
 16    - attack.command_and_control
 17    - attack.t1571
 18logsource:
 19    category: network_connection
 20    product: windows
 21detection:
 22    selection:
 23        Initiated: 'true'
 24        DestinationPort:
 25            - 100
 26            - 198
 27            - 200
 28            - 243
 29            - 473
 30            - 666
 31            - 700
 32            - 743
 33            - 777
 34            - 1443
 35            - 1515
 36            - 1777
 37            - 1817
 38            - 1904
 39            - 1960
 40            - 2443
 41            - 2448
 42            - 3360
 43            - 3675
 44            - 3939
 45            - 4040
 46            - 4433
 47            - 4438
 48            - 4443
 49            - 4444
 50            - 4455
 51            - 5445
 52            - 5552
 53            - 5649
 54            - 6625
 55            - 7210
 56            - 7777
 57            - 8143
 58            - 8843
 59            - 9631
 60            - 9943
 61            - 10101
 62            - 12102
 63            - 12103
 64            - 12322
 65            - 13145
 66            - 13394
 67            - 13504
 68            - 13505
 69            - 13506
 70            - 13507
 71            - 14102
 72            - 14103
 73            - 14154
 74            - 49180
 75            - 65520
 76            - 65535
 77    filter_optional_sys_directories:
 78        Image|contains:
 79            - ':\Program Files\'
 80            - ':\Program Files (x86)\'
 81    filter_main_local_ips:
 82        DestinationIp|startswith:
 83            - '10.'
 84            - '127.'
 85            - '172.16.'
 86            - '172.17.'
 87            - '172.18.'
 88            - '172.19.'
 89            - '172.20.'
 90            - '172.21.'
 91            - '172.22.'
 92            - '172.23.'
 93            - '172.24.'
 94            - '172.25.'
 95            - '172.26.'
 96            - '172.27.'
 97            - '172.28.'
 98            - '172.29.'
 99            - '172.30.'
100            - '172.31.'
101            - '192.168.'
102    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
103falsepositives:
104    - Unknown
105level: high

References

Related rules

to-top