Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Network Connection Initiated Via Notepad.EXE

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
EagleEye TeamCreated Thu May 14Updated Fri Feb 02e81528db-fc02-45e8-8e98-4e84aba1f10bwindows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\notepad.exe'
    filter_optional_printing:
        DestinationPort: 9100
    condition: selection and not 1 of filter_optional_*
False Positives

Printing documents via notepad might cause communication with the printer via port 9100 or similar.

References
1
Resolving title…
web.archive.org
2
Resolving title…
cobaltstrike.com
MITRE ATT&CK
Rule Metadata
Rule ID
e81528db-fc02-45e8-8e98-4e84aba1f10b
Status
test
Level
high
Type
Detection
Created
Thu May 14
Modified
Fri Feb 02
Author
EagleEye Team
Path
rules/windows/network_connection/net_connection_win_notepad.yml
Raw Tags
attack.privilege-escalationattack.command-and-controlattack.executionattack.defense-evasionattack.t1055
View on GitHub