Techniques
Sample rules
Network Connection Initiated Via Notepad.EXE
- source: sigma
- technicques:
- t1055
Description
Detects a network connection that is initiated by the “notepad.exe” process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_printing:
DestinationPort: 9100
selection:
Image|endswith: \notepad.exe