Suspicious Wordpad Outbound Connections

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Sigma rule (View on GitHub)

 1title: Suspicious Wordpad Outbound Connections
 2id: 786cdae8-fefb-4eb2-9227-04e34060db01
 3status: experimental
 4description: |
 5    Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
 6    This might indicate potential process injection activity from a beacon or similar mechanisms.    
 7references:
 8    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 9author: X__Junior (Nextron Systems)
10date: 2023-07-12
11modified: 2023-12-15
12tags:
13    - attack.defense-evasion
14    - attack.command-and-control
15logsource:
16    category: network_connection
17    product: windows
18detection:
19    selection:
20        Initiated: 'true'
21        Image|endswith: '\wordpad.exe'
22    filter_main_ports:
23        DestinationPort:
24            - 80
25            - 139
26            - 443
27            - 445
28            - 465
29            - 587
30            - 993
31            - 995
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Other ports can be used, apply additional filters accordingly
35level: medium

References

Related rules

to-top