← Back to Explore
sigmahighHunting
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Detection Query
selection:
Initiated: "true"
Image|contains:
- :\$Recycle.bin
- :\Perflogs\
- :\Temp\
- :\Users\Default\
- :\Users\Public\
- :\Windows\Fonts\
- :\Windows\IME\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- \config\systemprofile\
- \Contacts\
- \Favorites\
- \Favourites\
- \Music\
- \Pictures\
- \Videos\
- \Windows\addins\
filter_main_domains:
DestinationHostname|endswith:
- .githubusercontent.com
- 0x0.st
- anonfiles.com
- bashupload.com
- cdn.discordapp.com
- chunk.io
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.co.nz
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- portmap.io
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev
- x0.at
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Created
2017-03-19
Data Sources
windowsNetwork Connection Events
Platforms
windows
Tags
attack.command-and-controlattack.t1105
Raw Content
title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
related:
- id: 8b48ad89-10d8-4382-a546-50588c410f0d
type: similar
- id: d635249d-86b5-4dad-a8c7-d7272b788586
type: similar
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
- id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
type: similar
- id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
type: similar
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
type: similar
- id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
type: similar
- id: b6e04788-29e1-4557-bb14-77f761848ab8
type: similar
- id: a0d7e4d2-bede-4141-8896-bc6e237e977c
type: similar
- id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
type: similar
status: test
description: |
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2026-03-29
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '\config\systemprofile\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Music\'
- '\Pictures\'
- '\Videos\'
- '\Windows\addins\'
filter_main_domains:
# Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- '0x0.st'
- 'anonfiles.com'
- 'bashupload.com'
- 'cdn.discordapp.com'
- 'chunk.io'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'portmap.io' # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
- 'x0.at'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high