SigmaHQ/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml

title: Suspicious Typical Malware Back Connect Ports
status: experimental
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
tags:
    - attack.command_and_control
    - attack.t1043
logsource:
    product: windows
    service: sysmon
    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
    selection:
        EventID: 3
        DestinationPort:
            - '4443'
            - '2448'
            - '8143'
            - '1777'
            - '1443'
            - '243'
            - '65535'
            - '13506'
            - '3360'
            - '200'
            - '198'
            - '49180'
            - '13507'
            - '6625'
            - '4444'
            - '4438'
            - '1904'
            - '13505'
            - '13504'
            - '12102'
            - '9631'
            - '5445'
            - '2443'
            - '777'
            - '13394'
            - '13145'
            - '12103'
            - '5552'
            - '3939'
            - '3675'
            - '666'
            - '473'
            - '5649'
            - '4455'
            - '4433'
            - '1817'
            - '100'
            - '65520'
            - '1960'
            - '1515'
            - '743'
            - '700'
            - '14154'
            - '14103'
            - '14102'
            - '12322'
            - '10101'
            - '7210'
            - '4040'
            - '9943'
    filter1:
        Image: '*\Program Files*'
    filter2:
        DestinationIp: 
            - '10.*'
            - '192.168.*'
            - '172.16.*'
            - '172.17.*'
            - '172.18.*'
            - '172.19.*'
            - '172.20.*'
            - '172.21.*'
            - '172.22.*'
            - '172.23.*'
            - '172.24.*'
            - '172.25.*'
            - '172.26.*'
            - '172.27.*'
            - '172.28.*'
            - '172.29.*'
            - '172.30.*'
            - '172.31.*'
            - '127.*'
        DestinationIsIpv6: 'false'
    condition: selection and not ( filter1 or filter2 )
falsepositives:
    - unknown
level: medium
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`title: Suspicious Typical Malware Back Connect Ports`
			`status: experimental`
Fixed spelling mistake 2018-07-09 14:13:31 +00:00			`description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo`
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`author: Florian Roth`
			`date: 2017/03/19`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1043`
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'`
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`detection:`
			`selection:`
			`EventID: 3`
			`DestinationPort:`
			`- '4443'`
			`- '2448'`
			`- '8143'`
			`- '1777'`
			`- '1443'`
			`- '243'`
			`- '65535'`
			`- '13506'`
			`- '3360'`
			`- '200'`
			`- '198'`
			`- '49180'`
			`- '13507'`
			`- '6625'`
			`- '4444'`
			`- '4438'`
			`- '1904'`
			`- '13505'`
			`- '13504'`
			`- '12102'`
			`- '9631'`
			`- '5445'`
			`- '2443'`
			`- '777'`
			`- '13394'`
			`- '13145'`
			`- '12103'`
			`- '5552'`
			`- '3939'`
			`- '3675'`
			`- '666'`
			`- '473'`
			`- '5649'`
			`- '4455'`
			`- '4433'`
			`- '1817'`
			`- '100'`
			`- '65520'`
			`- '1960'`
			`- '1515'`
			`- '743'`
			`- '700'`
			`- '14154'`
			`- '14103'`
			`- '14102'`
			`- '12322'`
			`- '10101'`
			`- '7210'`
			`- '4040'`
			`- '9943'`
Added private IP filter to reduce FPs 2019-02-23 18:15:03 +00:00			`filter1:`
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`Image: '\Program Files'`
Added private IP filter to reduce FPs 2019-02-23 18:15:03 +00:00			`filter2:`
			`DestinationIp:`
			`- '10.*'`
			`- '192.168.*'`
			`- '172.16.*'`
			`- '172.17.*'`
			`- '172.18.*'`
			`- '172.19.*'`
			`- '172.20.*'`
			`- '172.21.*'`
			`- '172.22.*'`
			`- '172.23.*'`
			`- '172.24.*'`
			`- '172.25.*'`
			`- '172.26.*'`
			`- '172.27.*'`
			`- '172.28.*'`
			`- '172.29.*'`
			`- '172.30.*'`
			`- '172.31.*'`
Added missing tags and some minor improvements 2019-03-05 22:25:49 +00:00			`- '127.*'`
Added private IP filter to reduce FPs 2019-02-23 18:15:03 +00:00			`DestinationIsIpv6: 'false'`
			`condition: selection and not ( filter1 or filter2 )`
Rules: Suspicious locations and back connect ports 2017-03-19 14:22:27 +00:00			`falsepositives:`
			`- unknown`
Fixed spelling mistake 2018-07-09 14:13:31 +00:00			`level: medium`