title: Suspicious Typical Malware Back Connect Ports
status: experimental
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
selection:
EventID: 3
DestinationPort:
- '4443'
- '2448'
- '8143'
- '1777'
- '1443'
- '243'
- '65535'
- '13506'
- '3360'
- '200'
- '198'
- '49180'
- '13507'
- '6625'
- '4444'
- '4438'
- '1904'
- '13505'
- '13504'
- '12102'
- '9631'
- '5445'
- '2443'
- '777'
- '13394'
- '13145'
- '12103'
- '5552'
- '3939'
- '3675'
- '666'
- '473'
- '5649'
- '4455'
- '4433'
- '1817'
- '100'
- '65520'
- '1960'
- '1515'
- '743'
- '700'
- '14154'
- '14103'
- '14102'
- '12322'
- '10101'
- '7210'
- '4040'
- '9943'
filter1:
Image: '*\Program Files*'
filter2:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.*'
DestinationIsIpv6: 'false'
condition: selection and not ( filter1 or filter2 )
falsepositives:
- unknown
level: medium