sigmahighHunting

Potentially Suspicious Malware Callback Communication

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

MITRE ATT&CK

T1571

persistencecommand-and-control

Detection Query

selection:
  Initiated: "true"
  DestinationPort:
    - 100
    - 198
    - 200
    - 243
    - 473
    - 666
    - 700
    - 743
    - 777
    - 1443
    - 1515
    - 1777
    - 1817
    - 1904
    - 1960
    - 2443
    - 2448
    - 3360
    - 3675
    - 3939
    - 4040
    - 4433
    - 4438
    - 4443
    - 4444
    - 4455
    - 5445
    - 5552
    - 5649
    - 6625
    - 7210
    - 7777
    - 8143
    - 8843
    - 9631
    - 9943
    - 10101
    - 12102
    - 12103
    - 12322
    - 13145
    - 13394
    - 13504
    - 13505
    - 13506
    - 13507
    - 14102
    - 14103
    - 14154
    - 49180
    - 65520
    - 65535
filter_main_local_ranges:
  DestinationIp|cidr:
    - 127.0.0.0/8
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 169.254.0.0/16
    - ::1/128
    - fe80::/10
    - fc00::/7
filter_optional_sys_directories:
  Image|startswith:
    - C:\Program Files\
    - C:\Program Files (x86)\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Florian Roth (Nextron Systems)

Created

2017-03-19

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo

Tags

attack.persistenceattack.command-and-controlattack.t1571

Raw Content

title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
      type: similar
status: test
description: |
    Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 100
            - 198
            - 200
            - 243
            - 473
            - 666
            - 700
            - 743
            - 777
            - 1443
            - 1515
            - 1777
            - 1817
            - 1904
            - 1960
            - 2443
            - 2448
            - 3360
            - 3675
            - 3939
            - 4040
            - 4433
            - 4438
            - 4443
            - 4444
            - 4455
            - 5445
            - 5552
            - 5649
            - 6625
            - 7210
            - 7777
            - 8143
            - 8843
            - 9631
            - 9943
            - 10101
            - 12102
            - 12103
            - 12322
            - 13145
            - 13394
            - 13504
            - 13505
            - 13506
            - 13507
            - 14102
            - 14103
            - 14154
            - 49180
            - 65520
            - 65535
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high