title: Suspicious Typical Malware Back Connect Ports status: experimental description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2017/03/19 logsource: product: windows service: sysmon description: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: EventID: 3 DestinationPort: - '4443' - '2448' - '8143' - '1777' - '1443' - '243' - '65535' - '13506' - '3360' - '200' - '198' - '49180' - '13507' - '6625' - '4444' - '4438' - '1904' - '13505' - '13504' - '12102' - '9631' - '5445' - '2443' - '777' - '13394' - '13145' - '12103' - '5552' - '3939' - '3675' - '666' - '473' - '5649' - '4455' - '4433' - '1817' - '100' - '65520' - '1960' - '1515' - '743' - '700' - '14154' - '14103' - '14102' - '12322' - '10101' - '7210' - '4040' - '9943' filter: Image: '*\Program Files*' condition: selection and not filter falsepositives: - unknown level: medium