Techniques
Sample rules
Suspicious Wordpad Outbound Connections
- source: sigma
- technicques:
Description
Detects a network connection initiated by “wordpad.exe” over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_ports:
DestinationPort:
- 80
- 139
- 443
- 445
- 465
- 587
- 993
- 995
selection:
Image|endswith: \wordpad.exe
Initiated: 'true'
Office Application Initiated Network Connection Over Uncommon Ports
- source: sigma
- technicques:
Description
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_common_ports:
DestinationPort:
- 53
- 80
- 139
- 443
- 445
filter_main_outlook_ports:
DestinationPort:
- 465
- 587
- 993
- 995
Image|contains: :\Program Files\Microsoft Office\
Image|endswith: \OUTLOOK.EXE
selection:
Image|endswith:
- \excel.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
- \wordview.exe
Initiated: 'true'