Detectionhightest
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxNetwork Connection
ProductLinux← raw: linux
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Initiated: 'true'
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
Status
test
Level
high
Type
Detection
Created
Fri May 10
Author
Path
rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml
Raw Tags
attack.persistenceattack.command-and-controlattack.t1571