Threat Hunthightest
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 12Updated Wed Jan 314c5fba4a-9ef6-4f16-823d-606246054741windows
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic3 selectors
detection:
selection:
Image|contains: ':\Windows\Microsoft.NET\'
Image|endswith: '\dfsvc.exe'
Initiated: 'true'
filter_main_known_ports:
DestinationPort:
- 80
- 443
filter_optional_dns_ipv6:
# Based on VT. More than 140 binaries made communication over DNS
DestinationIsIpv6: 'true'
DestinationPort: 53
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
4c5fba4a-9ef6-4f16-823d-606246054741
Status
test
Level
high
Type
Threat Hunt
Created
Mon Jun 12
Modified
Wed Jan 31
Path
rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml
Raw Tags
attack.executionattack.t1203detection.threat-hunting