SigmaHQ/rules/windows/sysmon/sysmon_win_binary_susp_com.yml

title: Microsoft Binary Suspicious Communication Endpoint
status: experimental
description: Detects an executable in the Windows folder accessing suspicious domains
references:
    - https://twitter.com/M_haggis/status/900741347035889665
    - https://twitter.com/M_haggis/status/1032799638213066752
author: Florian Roth
date: 2018/08/30
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        DestinationHostname: 
            - '*dl.dropboxusercontent.com'
            - '*.pastebin.com'
        Image: 'C:\Windows\\*'
    condition: selection
falsepositives:
    - 'Unknown'
level: high
Rule: Suspicious communication endpoints 2018-08-30 08:11:53 +00:00			`title: Microsoft Binary Suspicious Communication Endpoint`
			`status: experimental`
			`description: Detects an executable in the Windows folder accessing suspicious domains`
			`references:`
			`- https://twitter.com/M_haggis/status/900741347035889665`
			`- https://twitter.com/M_haggis/status/1032799638213066752`
			`author: Florian Roth`
			`date: 2018/08/30`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 3`
			`DestinationHostname:`
			`- '*dl.dropboxusercontent.com'`
			`- '*.pastebin.com'`
Escaped '\' to '\\' where required 2019-02-02 23:24:57 +00:00			`Image: 'C:\Windows\\*'`
Rule: Suspicious communication endpoints 2018-08-30 08:11:53 +00:00			`condition: selection`
			`falsepositives:`
			`- 'Unknown'`
			`level: high`