Threat Huntmediumtest
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic3 selectors
detection:
selection:
Image|endswith: '\dllhost.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_msrange:
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
- '150.171.0.0/19' # Microsoft Corporation
- '204.79.197.0/24' # Microsoft Corporation'
condition: selection and not 1 of filter_main_*False Positives
Communication to other corporate systems that use IP addresses from public address spaces
MITRE ATT&CK
Techniques
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
cfed2f44-16df-4bf3-833a-79405198b277
Status
test
Level
medium
Type
Threat Hunt
Created
Mon Jul 13
Modified
Tue Jul 16
Author
Path
rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml
Raw Tags
attack.defense-evasionattack.t1218attack.executionattack.t1559.001detection.threat-hunting