Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Sigma rule (View on GitHub)
1title: Suspicious Wordpad Outbound Connections
2id: 786cdae8-fefb-4eb2-9227-04e34060db01
3status: test
4description: |
5 Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
6 This might indicate potential process injection activity from a beacon or similar mechanisms.
7references:
8 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
9author: X__Junior (Nextron Systems)
10date: 2023-07-12
11modified: 2023-12-15
12tags:
13 - attack.defense-evasion
14 - attack.command-and-control
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Initiated: 'true'
21 Image|endswith: '\wordpad.exe'
22 filter_main_ports:
23 DestinationPort:
24 - 80
25 - 139
26 - 443
27 - 445
28 - 465
29 - 587
30 - 993
31 - 995
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Other ports can be used, apply additional filters accordingly
35level: medium
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- Curl Download And Execute Combination
- Download from Suspicious Dyndns Hosts