communication to other corporate systems that use ip addresses from public address spaces

Techniques

Sample rules

Dllhost.EXE Initiated Network Connection To Non-Local IP Address

source: sigma
technicques:
- t1218
- t1559
- t1559.001

Description

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - ::1/128
  - 10.0.0.0/8
  - 127.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - fc00::/7
  - fe80::/10
filter_main_msrange:
  DestinationIp|cidr:
  - 20.184.0.0/13
  - 20.192.0.0/10
  - 23.72.0.0/13
  - 51.10.0.0/15
  - 51.103.0.0/16
  - 51.104.0.0/15
  - 52.224.0.0/11
  - 204.79.197.0/24
selection:
  Image|endswith: \dllhost.exe
  Initiated: 'true'

Rundll32 Internet Connection

source: sigma
technicques:
- t1218
- t1218.011

Description

Detects a rundll32 that communicates with public IP addresses

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_app_sdb:
  CommandLine|endswith: \system32\PcaSvc.dll,PcaPatchSdbTask
filter_main_azure_managed:
  SourceHostname|endswith: .internal.cloudapp.net
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
filter_main_ms_ranges:
  DestinationIp|cidr:
  - 20.0.0.0/8
  - 51.103.0.0/16
  - 51.104.0.0/16
  - 51.105.0.0/16
filter_main_svchost_update_processes:
  DestinationPort: 443
  ParentImage: C:\Windows\System32\svchost.exe
selection:
  Image|endswith: \rundll32.exe
  Initiated: 'true'

Outbound Network Connection To Public IP Via Winlogon

source: sigma
technicques:
- t1218
- t1218.011

Description

Detects a “winlogon.exe” process that initiate network communications with public IP addresses

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
selection:
  Image|endswith: \winlogon.exe
  Initiated: 'true'