Potentially Suspicious Malware Callback Communication

calendar Mar 13, 2024 · attack.persistence attack.command_and_control attack.t1571  ·
Share on: linkedin copy

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Malware Callback Communication
 2id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
 3related:
 4    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
 5      type: similar
 6status: test
 7description: |
 8        Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
 9references:
10    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
11author: Florian Roth (Nextron Systems)
12date: 2017/03/19
13modified: 2024/03/12
14tags:
15    - attack.persistence
16    - attack.command_and_control
17    - attack.t1571
18logsource:
19    category: network_connection
20    product: windows
21detection:
22    selection:
23        Initiated: 'true'
24        DestinationPort:
25            - 100
26            - 198
27            - 200
28            - 243
29            - 473
30            - 666
31            - 700
32            - 743
33            - 777
34            - 1443
35            - 1515
36            - 1777
37            - 1817
38            - 1904
39            - 1960
40            - 2443
41            - 2448
42            - 3360
43            - 3675
44            - 3939
45            - 4040
46            - 4433
47            - 4438
48            - 4443
49            - 4444
50            - 4455
51            - 5445
52            - 5552
53            - 5649
54            - 6625
55            - 7210
56            - 7777
57            - 8143
58            - 8843
59            - 9631
60            - 9943
61            - 10101
62            - 12102
63            - 12103
64            - 12322
65            - 13145
66            - 13394
67            - 13504
68            - 13505
69            - 13506
70            - 13507
71            - 14102
72            - 14103
73            - 14154
74            - 49180
75            - 65520
76            - 65535
77    filter_main_local_ranges:
78        DestinationIp|cidr:
79            - '127.0.0.0/8'
80            - '10.0.0.0/8'
81            - '172.16.0.0/12'
82            - '192.168.0.0/16'
83            - '169.254.0.0/16'
84            - '::1/128'  # IPv6 loopback
85            - 'fe80::/10'  # IPv6 link-local addresses
86            - 'fc00::/7'  # IPv6 private addresses
87    filter_optional_sys_directories:
88        Image|startswith:
89            - 'C:\Program Files\'
90            - 'C:\Program Files (x86)\'
91    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
92falsepositives:
93    - Unknown
94level: high

References

  • Malware Back Connect Ports - Google Drive

    1 Dest PortCount 1Count 2Level False Positive Condition Positive ConditionComment / SourceSandbox Analyses LinkSpeedguide Link 2 3369-1highNetwire http://www.speedguide.net/port.php?port=3369 3 876...


    Read More

Related rules

to-top