mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
72 lines
1.9 KiB
YAML
72 lines
1.9 KiB
YAML
title: Suspicious Typical Malware Back Connect Ports
|
|
status: experimental
|
|
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
|
|
references:
|
|
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
|
|
author: Florian Roth
|
|
date: 2017/03/19
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
description: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
|
|
detection:
|
|
selection:
|
|
EventID: 3
|
|
DestinationPort:
|
|
- '4443'
|
|
- '2448'
|
|
- '8143'
|
|
- '1777'
|
|
- '1443'
|
|
- '243'
|
|
- '65535'
|
|
- '13506'
|
|
- '3360'
|
|
- '200'
|
|
- '198'
|
|
- '49180'
|
|
- '13507'
|
|
- '6625'
|
|
- '4444'
|
|
- '4438'
|
|
- '1904'
|
|
- '13505'
|
|
- '13504'
|
|
- '12102'
|
|
- '9631'
|
|
- '5445'
|
|
- '2443'
|
|
- '777'
|
|
- '13394'
|
|
- '13145'
|
|
- '12103'
|
|
- '5552'
|
|
- '3939'
|
|
- '3675'
|
|
- '666'
|
|
- '473'
|
|
- '5649'
|
|
- '4455'
|
|
- '4433'
|
|
- '1817'
|
|
- '100'
|
|
- '65520'
|
|
- '1960'
|
|
- '1515'
|
|
- '743'
|
|
- '700'
|
|
- '14154'
|
|
- '14103'
|
|
- '14102'
|
|
- '12322'
|
|
- '10101'
|
|
- '7210'
|
|
- '4040'
|
|
- '9943'
|
|
filter:
|
|
Image: '*\Program Files*'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- unknown
|
|
level: medium
|