Threat Huntmediumtest
Network Connection Initiated From Users\Public Folder
Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Initiated: 'true'
Image|contains: ':\Users\Public\'
filter_optional_ibm:
Image|contains: ':\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location (Added by Tim Shelton - https://github.com/SigmaHQ/sigma/pull/3053/files)
condition: selection and not 1 of filter_optional_*False Positives
Likely from legitimate third party application that execute from the "Public" directory.
References
MITRE ATT&CK
Tactics
Techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
bcb03938-9f8b-487d-8d86-e480691e1d71
Status
test
Level
medium
Type
Threat Hunt
Created
Fri May 31
Path
rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml
Raw Tags
attack.command-and-controlattack.t1105detection.threat-hunting