191 lines
5.9 KiB
YAML
191 lines
5.9 KiB
YAML
title: Suspicious Typical Malware Back Connect Ports
|
|
author: Florian Roth
|
|
date: 2017/03/19
|
|
description: Detects programs that connect to typical malware back connect ports based
|
|
on statistical analysis from two different sandbox system databases
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 3
|
|
SELECTION_10:
|
|
DestinationPort: '13506'
|
|
SELECTION_11:
|
|
DestinationPort: '3360'
|
|
SELECTION_12:
|
|
DestinationPort: '200'
|
|
SELECTION_13:
|
|
DestinationPort: '198'
|
|
SELECTION_14:
|
|
DestinationPort: '49180'
|
|
SELECTION_15:
|
|
DestinationPort: '13507'
|
|
SELECTION_16:
|
|
DestinationPort: '6625'
|
|
SELECTION_17:
|
|
DestinationPort: '4444'
|
|
SELECTION_18:
|
|
DestinationPort: '4438'
|
|
SELECTION_19:
|
|
DestinationPort: '1904'
|
|
SELECTION_2:
|
|
Initiated: 'true'
|
|
SELECTION_20:
|
|
DestinationPort: '13505'
|
|
SELECTION_21:
|
|
DestinationPort: '13504'
|
|
SELECTION_22:
|
|
DestinationPort: '12102'
|
|
SELECTION_23:
|
|
DestinationPort: '9631'
|
|
SELECTION_24:
|
|
DestinationPort: '5445'
|
|
SELECTION_25:
|
|
DestinationPort: '2443'
|
|
SELECTION_26:
|
|
DestinationPort: '777'
|
|
SELECTION_27:
|
|
DestinationPort: '13394'
|
|
SELECTION_28:
|
|
DestinationPort: '13145'
|
|
SELECTION_29:
|
|
DestinationPort: '12103'
|
|
SELECTION_3:
|
|
DestinationPort: '4443'
|
|
SELECTION_30:
|
|
DestinationPort: '5552'
|
|
SELECTION_31:
|
|
DestinationPort: '3939'
|
|
SELECTION_32:
|
|
DestinationPort: '3675'
|
|
SELECTION_33:
|
|
DestinationPort: '666'
|
|
SELECTION_34:
|
|
DestinationPort: '473'
|
|
SELECTION_35:
|
|
DestinationPort: '5649'
|
|
SELECTION_36:
|
|
DestinationPort: '4455'
|
|
SELECTION_37:
|
|
DestinationPort: '4433'
|
|
SELECTION_38:
|
|
DestinationPort: '1817'
|
|
SELECTION_39:
|
|
DestinationPort: '100'
|
|
SELECTION_4:
|
|
DestinationPort: '2448'
|
|
SELECTION_40:
|
|
DestinationPort: '65520'
|
|
SELECTION_41:
|
|
DestinationPort: '1960'
|
|
SELECTION_42:
|
|
DestinationPort: '1515'
|
|
SELECTION_43:
|
|
DestinationPort: '743'
|
|
SELECTION_44:
|
|
DestinationPort: '700'
|
|
SELECTION_45:
|
|
DestinationPort: '14154'
|
|
SELECTION_46:
|
|
DestinationPort: '14103'
|
|
SELECTION_47:
|
|
DestinationPort: '14102'
|
|
SELECTION_48:
|
|
DestinationPort: '12322'
|
|
SELECTION_49:
|
|
DestinationPort: '10101'
|
|
SELECTION_5:
|
|
DestinationPort: '8143'
|
|
SELECTION_50:
|
|
DestinationPort: '7210'
|
|
SELECTION_51:
|
|
DestinationPort: '4040'
|
|
SELECTION_52:
|
|
DestinationPort: '9943'
|
|
SELECTION_53:
|
|
EventID: 3
|
|
SELECTION_54:
|
|
Image: '*\Program Files*'
|
|
SELECTION_55:
|
|
DestinationIp: 10.*
|
|
SELECTION_56:
|
|
DestinationIp: 192.168.*
|
|
SELECTION_57:
|
|
DestinationIp: 172.16.*
|
|
SELECTION_58:
|
|
DestinationIp: 172.17.*
|
|
SELECTION_59:
|
|
DestinationIp: 172.18.*
|
|
SELECTION_6:
|
|
DestinationPort: '1777'
|
|
SELECTION_60:
|
|
DestinationIp: 172.19.*
|
|
SELECTION_61:
|
|
DestinationIp: 172.20.*
|
|
SELECTION_62:
|
|
DestinationIp: 172.21.*
|
|
SELECTION_63:
|
|
DestinationIp: 172.22.*
|
|
SELECTION_64:
|
|
DestinationIp: 172.23.*
|
|
SELECTION_65:
|
|
DestinationIp: 172.24.*
|
|
SELECTION_66:
|
|
DestinationIp: 172.25.*
|
|
SELECTION_67:
|
|
DestinationIp: 172.26.*
|
|
SELECTION_68:
|
|
DestinationIp: 172.27.*
|
|
SELECTION_69:
|
|
DestinationIp: 172.28.*
|
|
SELECTION_7:
|
|
DestinationPort: '1443'
|
|
SELECTION_70:
|
|
DestinationIp: 172.29.*
|
|
SELECTION_71:
|
|
DestinationIp: 172.30.*
|
|
SELECTION_72:
|
|
DestinationIp: 172.31.*
|
|
SELECTION_73:
|
|
DestinationIp: 127.*
|
|
SELECTION_74:
|
|
DestinationIsIpv6: 'false'
|
|
SELECTION_8:
|
|
DestinationPort: '243'
|
|
SELECTION_9:
|
|
DestinationPort: '65535'
|
|
condition: (SELECTION_1 and (SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5
|
|
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
|
|
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
|
|
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
|
|
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
|
|
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
|
|
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
|
|
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
|
|
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
|
|
or SELECTION_46 or SELECTION_47 or SELECTION_48 or SELECTION_49 or SELECTION_50
|
|
or SELECTION_51 or SELECTION_52)) and not ((SELECTION_53 and (SELECTION_54
|
|
or ((SELECTION_55 or SELECTION_56 or SELECTION_57 or SELECTION_58 or SELECTION_59
|
|
or SELECTION_60 or SELECTION_61 or SELECTION_62 or SELECTION_63 or SELECTION_64
|
|
or SELECTION_65 or SELECTION_66 or SELECTION_67 or SELECTION_68 or SELECTION_69
|
|
or SELECTION_70 or SELECTION_71 or SELECTION_72 or SELECTION_73) and SELECTION_74)))))
|
|
falsepositives:
|
|
- unknown
|
|
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
|
|
level: medium
|
|
logsource:
|
|
category: network_connection
|
|
definition: 'Use the following config to generate the necessary Event ID 10 Process
|
|
Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
|
|
onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
|
|
product: windows
|
|
modified: 2020/08/24
|
|
references:
|
|
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
|
|
status: experimental
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1571
|
|
- attack.t1043
|
|
yml_filename: sysmon_malware_backconnect_ports.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/network_connection
|
|
|