Detectionmediumtest

Network Communication Initiated To Portmap.IO Domain

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Fri May 3107837ab9-60e1-481f-a74d-c31fb496a94cwindows

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.portmap.io'
    condition: selection

False Positives

Legitimate use of portmap.io domains

References

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Rule Metadata

Rule ID

07837ab9-60e1-481f-a74d-c31fb496a94c

Status

test

Level

medium

Type

Detection

Created

Fri May 31

Author

Path

rules/windows/network_connection/net_connection_win_domain_portmap.yml

Raw Tags

attack.t1041attack.command-and-controlattack.t1090.002attack.exfiltration