Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1105` Ingress Tool Transfer

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

or:
Image|contains: ':\$Recycle.bin'
Image|contains: ':\Perflogs\'
Image|contains: ':\Temp\'
Image|contains: ':\Users\Default\'
Image|contains: ':\Users\Public\'
Image|contains: ':\Windows\Fonts\'
Image|contains: ':\Windows\IME\'
Image|contains: ':\Windows\System32\Tasks\'
Image|contains: ':\Windows\Tasks\'
Image|contains: '\Contacts\'
Image|contains: '\Favorites\'
Image|contains: '\Favourites\'
Image|contains: '\Music\'
Image|contains: '\Pictures\'
Image|contains: '\Videos\'
Image|contains: '\Windows\addins\'
Image|contains: '\config\systemprofile\'
Initiated: true

Stage 2: `not 1 of filter_main_domains`

or:
DestinationHostname|endswith: .githubusercontent.com
DestinationHostname|endswith: anonfiles.com
DestinationHostname|endswith: cdn.discordapp.com
DestinationHostname|endswith: ddns.net
DestinationHostname|endswith: dl.dropboxusercontent.com
DestinationHostname|endswith: ghostbin.co
DestinationHostname|endswith: github.com
DestinationHostname|endswith: glitch.me
DestinationHostname|endswith: gofile.io
DestinationHostname|endswith: hastebin.com
DestinationHostname|endswith: mediafire.com
DestinationHostname|endswith: mega.co.nz
DestinationHostname|endswith: mega.nz
DestinationHostname|endswith: onrender.com
DestinationHostname|endswith: pages.dev
DestinationHostname|endswith: paste.ee
DestinationHostname|endswith: pastebin.com
DestinationHostname|endswith: pastebin.pl
DestinationHostname|endswith: pastetext.net
DestinationHostname|endswith: portmap.io
DestinationHostname|endswith: privatlab.com
DestinationHostname|endswith: privatlab.net
DestinationHostname|endswith: send.exploit.in
DestinationHostname|endswith: sendspace.com
DestinationHostname|endswith: storage.googleapis.com
DestinationHostname|endswith: storjshare.io
DestinationHostname|endswith: supabase.co
DestinationHostname|endswith: temp.sh
DestinationHostname|endswith: transfer.sh
DestinationHostname|endswith: trycloudflare.com
DestinationHostname|endswith: ufile.io
DestinationHostname|endswith: w3spaces.com
DestinationHostname|endswith: workers.dev

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationHostname`	ends_with	`.githubusercontent.com` corpus 2 (sigma 2) `anonfiles.com` corpus 3 (sigma 3) `cdn.discordapp.com` corpus 3 (sigma 3) `ddns.net` corpus 3 (sigma 3) `dl.dropboxusercontent.com` corpus 2 (sigma 2) `ghostbin.co` corpus 2 (sigma 2) `github.com` corpus 2 (sigma 2) `glitch.me` corpus 2 (sigma 2) `gofile.io` corpus 3 (sigma 3) `hastebin.com` corpus 3 (sigma 3) `mediafire.com` corpus 3 (sigma 3) `mega.co.nz` corpus 4 (sigma 4) `mega.nz` corpus 4 (sigma 4) `onrender.com` corpus 2 (sigma 2) `pages.dev` corpus 3 (sigma 3) `paste.ee` corpus 3 (sigma 3) `pastebin.com` corpus 3 (sigma 3) `pastebin.pl` corpus 3 (sigma 3) `pastetext.net` corpus 3 (sigma 3) `portmap.io` `privatlab.com` corpus 3 (sigma 3) `privatlab.net` corpus 3 (sigma 3) `send.exploit.in` corpus 3 (sigma 3) `sendspace.com` corpus 3 (sigma 3) `storage.googleapis.com` corpus 3 (sigma 3) `storjshare.io` corpus 2 (sigma 2) `supabase.co` corpus 2 (sigma 2) `temp.sh` corpus 3 (sigma 3) `transfer.sh` corpus 3 (sigma 3) `trycloudflare.com` corpus 4 (sigma 4) `ufile.io` corpus 3 (sigma 3) `w3spaces.com` corpus 3 (sigma 3) `workers.dev` corpus 3 (sigma 3)
`Image`	match	`:\$Recycle.bin` corpus 2 (sigma 2) `:\Perflogs\` corpus 7 (sigma 7) `:\Temp\` corpus 12 (sigma 12) `:\Users\Default\` corpus 3 (sigma 3) `:\Users\Public\` corpus 14 (sigma 14) `:\Windows\Fonts\` corpus 3 (sigma 3) `:\Windows\IME\` corpus 3 (sigma 3) `:\Windows\System32\Tasks\` corpus 4 (sigma 4) `:\Windows\Tasks\` corpus 5 (sigma 5) `\Contacts\` corpus 5 (sigma 5) `\Favorites\` corpus 6 (sigma 6) `\Favourites\` corpus 5 (sigma 5) `\Music\` corpus 4 (sigma 4) `\Pictures\` corpus 5 (sigma 5) `\Videos\` corpus 4 (sigma 4) `\Windows\addins\` corpus 4 (sigma 4) `\config\systemprofile\` corpus 4 (sigma 4)
`Initiated`	eq	`true` corpus 40 (sigma 40)