Techniques
Sample rules
Outbound Network Connection To Public IP Via Winlogon
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects a “winlogon.exe” process that initiate network communications with public IP addresses
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
selection:
Image|endswith: \winlogon.exe
Initiated: 'true'
Rundll32 Internet Connection
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects a rundll32 that communicates with public IP addresses
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_app_sdb:
CommandLine|endswith: \system32\PcaSvc.dll,PcaPatchSdbTask
filter_main_azure_managed:
SourceHostname|endswith: .internal.cloudapp.net
filter_main_local_ranges:
DestinationIp|cidr:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- ::1/128
- fe80::/10
- fc00::/7
filter_main_ms_ranges:
DestinationIp|cidr:
- 20.0.0.0/8
- 51.103.0.0/16
- 51.104.0.0/16
- 51.105.0.0/16
filter_main_svchost_update_processes:
DestinationPort: 443
ParentImage: C:\Windows\System32\svchost.exe
selection:
Image|endswith: \rundll32.exe
Initiated: 'true'