title: Microsoft Binary Github Communication
status: experimental
description: Detects an executable in the Windows folder accessing github.com
references:
    - https://twitter.com/M_haggis/status/900741347035889665
author: Michael Haag (idea), Florian Roth (rule)
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 3
        DestinationHostname: '*.github.com'
        Image: 'C:\Windows\*'
    condition: selection
falsepositives:
    - 'Unknown'
    - '@subTee in your network'
level: high