title: Microsoft Binary Suspicious Communication Endpoint
author: Florian Roth
date: 2018/08/30
description: Detects an executable in the Windows folder accessing suspicious domains
detection:
    SELECTION_1:
        EventID: 3
    SELECTION_2:
        Initiated: 'true'
    SELECTION_3:
        DestinationHostname: '*dl.dropboxusercontent.com'
    SELECTION_4:
        DestinationHostname: '*.pastebin.com'
    SELECTION_5:
        DestinationHostname: '*.githubusercontent.com'
    SELECTION_6:
        Image: C:\Windows\\*
    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5)
        and SELECTION_6)
falsepositives:
- Unknown
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
level: high
logsource:
    category: network_connection
    product: windows
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
status: experimental
tags:
- attack.lateral_movement
- attack.t1105
yml_filename: sysmon_win_binary_susp_com.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection