Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Sigma rule (View on GitHub)
1title: Suspicious Wordpad Outbound Connections
2id: 786cdae8-fefb-4eb2-9227-04e34060db01
3status: experimental
4description: |
5 Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
6 This might indicate potential process injection activity from a beacon or similar mechanisms.
7references:
8 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
9author: X__Junior (Nextron Systems)
10date: 2023/07/12
11modified: 2023/12/15
12tags:
13 - attack.defense_evasion
14 - attack.command_and_control
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Initiated: 'true'
21 Image|endswith: '\wordpad.exe'
22 filter_main_ports:
23 DestinationPort:
24 - 80
25 - 139
26 - 443
27 - 445
28 - 465
29 - 587
30 - 993
31 - 995
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Other ports can be used, apply additional filters accordingly
35level: medium
References
-
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.
Read More
Related rules
- Network Connection Initiated Via Notepad.EXE
- Office Application Initiated Network Connection Over Uncommon Ports
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- OilRig APT Schedule Task Persistence - System
- Bitsadmin to Uncommon IP Server Address