Suspicious Program Location with Network Connections

 1title: Suspicious Program Location with Network Connections
 2id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
 3status: test
 4description: Detects programs with network connections running in suspicious files system locations
 5references:
 6    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 7author: Florian Roth (Nextron Systems), Tim Shelton
 8date: 2017/03/19
 9modified: 2023/12/11
10tags:
11    - attack.command_and_control
12    - attack.t1105
13logsource:
14    category: network_connection
15    product: windows
16    definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events'
17detection:
18    selection:
19        Image|contains:
20            - ':\$Recycle.bin'
21            - ':\Perflogs\'
22            - ':\Users\Default\'
23            - ':\Users\Public\'
24            - ':\Windows\Fonts\'
25            - ':\Windows\IME\'
26            - '\config\systemprofile\'
27            - '\Windows\addins\'
28    filter_optional_ibm:
29        Image|contains: ':\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location
30    condition: selection and not 1 of filter_optional_*
31falsepositives:
32    - Unknown
33level: high