title: Suspicious Typical Malware Back Connect Ports
author: Florian Roth
date: 2017/03/19
description: Detects programs that connect to typical malware back connect ports based
on statistical analysis from two different sandbox system databases
detection:
SELECTION_1:
EventID: 3
SELECTION_10:
DestinationPort: '13506'
SELECTION_11:
DestinationPort: '3360'
SELECTION_12:
DestinationPort: '200'
SELECTION_13:
DestinationPort: '198'
SELECTION_14:
DestinationPort: '49180'
SELECTION_15:
DestinationPort: '13507'
SELECTION_16:
DestinationPort: '6625'
SELECTION_17:
DestinationPort: '4444'
SELECTION_18:
DestinationPort: '4438'
SELECTION_19:
DestinationPort: '1904'
SELECTION_2:
Initiated: 'true'
SELECTION_20:
DestinationPort: '13505'
SELECTION_21:
DestinationPort: '13504'
SELECTION_22:
DestinationPort: '12102'
SELECTION_23:
DestinationPort: '9631'
SELECTION_24:
DestinationPort: '5445'
SELECTION_25:
DestinationPort: '2443'
SELECTION_26:
DestinationPort: '777'
SELECTION_27:
DestinationPort: '13394'
SELECTION_28:
DestinationPort: '13145'
SELECTION_29:
DestinationPort: '12103'
SELECTION_3:
DestinationPort: '4443'
SELECTION_30:
DestinationPort: '5552'
SELECTION_31:
DestinationPort: '3939'
SELECTION_32:
DestinationPort: '3675'
SELECTION_33:
DestinationPort: '666'
SELECTION_34:
DestinationPort: '473'
SELECTION_35:
DestinationPort: '5649'
SELECTION_36:
DestinationPort: '4455'
SELECTION_37:
DestinationPort: '4433'
SELECTION_38:
DestinationPort: '1817'
SELECTION_39:
DestinationPort: '100'
SELECTION_4:
DestinationPort: '2448'
SELECTION_40:
DestinationPort: '65520'
SELECTION_41:
DestinationPort: '1960'
SELECTION_42:
DestinationPort: '1515'
SELECTION_43:
DestinationPort: '743'
SELECTION_44:
DestinationPort: '700'
SELECTION_45:
DestinationPort: '14154'
SELECTION_46:
DestinationPort: '14103'
SELECTION_47:
DestinationPort: '14102'
SELECTION_48:
DestinationPort: '12322'
SELECTION_49:
DestinationPort: '10101'
SELECTION_5:
DestinationPort: '8143'
SELECTION_50:
DestinationPort: '7210'
SELECTION_51:
DestinationPort: '4040'
SELECTION_52:
DestinationPort: '9943'
SELECTION_53:
EventID: 3
SELECTION_54:
Image: '*\Program Files*'
SELECTION_55:
DestinationIp: 10.*
SELECTION_56:
DestinationIp: 192.168.*
SELECTION_57:
DestinationIp: 172.16.*
SELECTION_58:
DestinationIp: 172.17.*
SELECTION_59:
DestinationIp: 172.18.*
SELECTION_6:
DestinationPort: '1777'
SELECTION_60:
DestinationIp: 172.19.*
SELECTION_61:
DestinationIp: 172.20.*
SELECTION_62:
DestinationIp: 172.21.*
SELECTION_63:
DestinationIp: 172.22.*
SELECTION_64:
DestinationIp: 172.23.*
SELECTION_65:
DestinationIp: 172.24.*
SELECTION_66:
DestinationIp: 172.25.*
SELECTION_67:
DestinationIp: 172.26.*
SELECTION_68:
DestinationIp: 172.27.*
SELECTION_69:
DestinationIp: 172.28.*
SELECTION_7:
DestinationPort: '1443'
SELECTION_70:
DestinationIp: 172.29.*
SELECTION_71:
DestinationIp: 172.30.*
SELECTION_72:
DestinationIp: 172.31.*
SELECTION_73:
DestinationIp: 127.*
SELECTION_74:
DestinationIsIpv6: 'false'
SELECTION_8:
DestinationPort: '243'
SELECTION_9:
DestinationPort: '65535'
condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
or SELECTION_51 or SELECTION_52)) and not ((SELECTION_53 and (SELECTION_54
or ((SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64
or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69
or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73) and SELECTION_74)))))
falsepositives:
- unknown
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
level: medium
logsource:
category: network_connection
definition: 'Use the following config to generate the necessary Event ID 10 Process
Access events: VBE7.DLLUNKNOWN'
product: windows
modified: 2020/08/24
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
status: experimental
tags:
- attack.command_and_control
- attack.t1571
- attack.t1043
yml_filename: sysmon_malware_backconnect_ports.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection