Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sun Mar 19Updated Wed Dec 107b434893-c57d-4f41-908d-6a17bf1ae98fwindows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Initiated: 'true'
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - '\config\systemprofile\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Music\'
            - '\Pictures\'
            - '\Videos\'
            - '\Windows\addins\'
    filter_main_domains:
        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
docs.google.com
MITRE ATT&CK
Rule Metadata
Rule ID
7b434893-c57d-4f41-908d-6a17bf1ae98f
Status
test
Level
high
Type
Detection
Created
Sun Mar 19
Modified
Wed Dec 10
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml
Raw Tags
attack.command-and-controlattack.t1105
View on GitHub