Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Wordpad Outbound Connections

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
X__Junior (Nextron Systems)Created Wed Jul 12Updated Fri Dec 15786cdae8-fefb-4eb2-9227-04e34060db01windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\wordpad.exe'
    filter_main_ports:
        DestinationPort:
            - 80
            - 139
            - 443
            - 445
            - 465
            - 587
            - 993
            - 995
    condition: selection and not 1 of filter_main_*
False Positives

Other ports can be used, apply additional filters accordingly

References
1
Resolving title…
blogs.blackberry.com
MITRE ATT&CK
Rule Metadata
Rule ID
786cdae8-fefb-4eb2-9227-04e34060db01
Status
test
Level
medium
Type
Detection
Created
Wed Jul 12
Modified
Fri Dec 15
Author
X__Junior (Nextron Systems)
Path
rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml
Raw Tags
attack.defense-evasionattack.command-and-control
View on GitHub