LoFP / in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.

Techniques

• t1071
• t1071.001

Sample rules

Outbound Network Connection Initiated By Microsoft Dialer

• source: sigma
• technicques:
  • t1071
  • t1071.001

Description

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it’s usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is “Rhadamanthys”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_local_ranges:
  DestinationIp|cidr:
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
selection:
  Image|endswith: :\Windows\System32\dialer.exe
  Initiated: 'true'