Detectionhightest

Outbound Network Connection Initiated By Microsoft Dialer

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

CertainlyPCreated Fri Apr 2637e4024a-6c80-4d8f-b95d-2e7e94f3a8d1windows

Log Source

WindowsNetwork Connection

ProductWindows← raw: windows

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        Image|endswith: ':\Windows\System32\dialer.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*

False Positives

In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.

References

research.checkpoint.com

Resolving title…

strontic.github.io

MITRE ATT&CK

Tactics

TA0002 · Execution TA0011 · Command and Control