Threat Huntmediumtest
Dfsvc.EXE Network Connection To Non-Local IPs
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 12Updated Tue Mar 123c21219b-49b5-4268-bce6-c914ed50f09cwindows
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith: '\dfsvc.exe'
Initiated: 'true'
filter_main_local_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*False Positives
False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary
References
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
3c21219b-49b5-4268-bce6-c914ed50f09c
Status
test
Level
medium
Type
Threat Hunt
Created
Mon Jun 12
Modified
Tue Mar 12
Path
rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml
Raw Tags
attack.executionattack.t1203detection.threat-hunting