mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
99 lines
2.6 KiB
YAML
99 lines
2.6 KiB
YAML
title: Suspicious Typical Malware Back Connect Ports
|
|
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
|
|
status: experimental
|
|
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
|
|
references:
|
|
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
|
|
author: Florian Roth
|
|
date: 2017/03/19
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1043
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
|
|
detection:
|
|
selection:
|
|
EventID: 3
|
|
Initiated: 'true'
|
|
DestinationPort:
|
|
- '4443'
|
|
- '2448'
|
|
- '8143'
|
|
- '1777'
|
|
- '1443'
|
|
- '243'
|
|
- '65535'
|
|
- '13506'
|
|
- '3360'
|
|
- '200'
|
|
- '198'
|
|
- '49180'
|
|
- '13507'
|
|
- '6625'
|
|
- '4444'
|
|
- '4438'
|
|
- '1904'
|
|
- '13505'
|
|
- '13504'
|
|
- '12102'
|
|
- '9631'
|
|
- '5445'
|
|
- '2443'
|
|
- '777'
|
|
- '13394'
|
|
- '13145'
|
|
- '12103'
|
|
- '5552'
|
|
- '3939'
|
|
- '3675'
|
|
- '666'
|
|
- '473'
|
|
- '5649'
|
|
- '4455'
|
|
- '4433'
|
|
- '1817'
|
|
- '100'
|
|
- '65520'
|
|
- '1960'
|
|
- '1515'
|
|
- '743'
|
|
- '700'
|
|
- '14154'
|
|
- '14103'
|
|
- '14102'
|
|
- '12322'
|
|
- '10101'
|
|
- '7210'
|
|
- '4040'
|
|
- '9943'
|
|
filter1:
|
|
Image: '*\Program Files*'
|
|
filter2:
|
|
DestinationIp:
|
|
- '10.*'
|
|
- '192.168.*'
|
|
- '172.16.*'
|
|
- '172.17.*'
|
|
- '172.18.*'
|
|
- '172.19.*'
|
|
- '172.20.*'
|
|
- '172.21.*'
|
|
- '172.22.*'
|
|
- '172.23.*'
|
|
- '172.24.*'
|
|
- '172.25.*'
|
|
- '172.26.*'
|
|
- '172.27.*'
|
|
- '172.28.*'
|
|
- '172.29.*'
|
|
- '172.30.*'
|
|
- '172.31.*'
|
|
- '127.*'
|
|
DestinationIsIpv6: 'false'
|
|
condition: selection and not ( filter1 or filter2 )
|
|
falsepositives:
|
|
- unknown
|
|
level: medium
|