Suspicious Program Location with Network Connections
Detects programs with network connections running in suspicious files system locations
Sigma rule (View on GitHub)
1title: Suspicious Program Location with Network Connections
2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
3status: test
4description: Detects programs with network connections running in suspicious files system locations
5references:
6 - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
7author: Florian Roth (Nextron Systems), Tim Shelton
8date: 2017/03/19
9modified: 2023/12/11
10tags:
11 - attack.command_and_control
12 - attack.t1105
13logsource:
14 category: network_connection
15 product: windows
16 definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
17detection:
18 selection:
19 Image|contains:
20 - ':\$Recycle.bin'
21 - ':\Perflogs\'
22 - ':\Users\Default\'
23 - ':\Users\Public\'
24 - ':\Windows\Fonts\'
25 - ':\Windows\IME\'
26 - '\config\systemprofile\'
27 - '\Windows\addins\'
28 filter_optional_ibm:
29 Image|contains: ':\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
30 condition: selection and not 1 of filter_optional_*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- AppX Package Installation Attempts Via AppInstaller.EXE
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download Via Windows Defender MpCmpRun.EXE
- Potential COM Objects Download Cradles Usage - PS Script