SigmaHQ/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml

71 lines
1.9 KiB
YAML

title: Suspicious Typical Malware Back Connect Ports
status: experimental
description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth
date: 2017/03/19
logsource:
product: windows
service: sysmon
description: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 3
DestinationPort:
- '4443'
- '2448'
- '8143'
- '1777'
- '1443'
- '243'
- '65535'
- '13506'
- '3360'
- '200'
- '198'
- '49180'
- '13507'
- '6625'
- '4444'
- '4438'
- '1904'
- '13505'
- '13504'
- '12102'
- '9631'
- '5445'
- '2443'
- '777'
- '13394'
- '13145'
- '12103'
- '5552'
- '3939'
- '3675'
- '666'
- '473'
- '5649'
- '4455'
- '4433'
- '1817'
- '100'
- '65520'
- '1960'
- '1515'
- '743'
- '700'
- '14154'
- '14103'
- '14102'
- '12322'
- '10101'
- '7210'
- '4040'
- '9943'
filter:
Image: '*\Program Files*'
condition: selection and not filter
falsepositives:
- unknown
level: medium