EXPLORE
← Back to Explore
sigmahighHunting

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

MITRE ATT&CK

command-and-control

Detection Query

selection:
  Initiated: "true"
  Image|contains:
    - :\$Recycle.bin
    - :\Perflogs\
    - :\Temp\
    - :\Users\Default\
    - :\Users\Public\
    - :\Windows\Fonts\
    - :\Windows\IME\
    - :\Windows\System32\Tasks\
    - :\Windows\Tasks\
    - \config\systemprofile\
    - \Contacts\
    - \Favorites\
    - \Favourites\
    - \Music\
    - \Pictures\
    - \Videos\
    - \Windows\addins\
filter_main_domains:
  DestinationHostname|endswith:
    - .githubusercontent.com
    - 0x0.st
    - anonfiles.com
    - bashupload.com
    - cdn.discordapp.com
    - chunk.io
    - ddns.net
    - dl.dropboxusercontent.com
    - ghostbin.co
    - github.com
    - glitch.me
    - gofile.io
    - hastebin.com
    - mediafire.com
    - mega.co.nz
    - mega.nz
    - onrender.com
    - pages.dev
    - paste.ee
    - pastebin.com
    - pastebin.pl
    - pastetext.net
    - portmap.io
    - privatlab.com
    - privatlab.net
    - send.exploit.in
    - sendspace.com
    - storage.googleapis.com
    - storjshare.io
    - supabase.co
    - temp.sh
    - transfer.sh
    - trycloudflare.com
    - ufile.io
    - w3spaces.com
    - workers.dev
    - x0.at
condition: selection and not 1 of filter_main_*

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Created

2017-03-19

Data Sources

windowsNetwork Connection Events

Platforms

windows

Tags

attack.command-and-controlattack.t1105
Raw Content
title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
related:
    - id: 8b48ad89-10d8-4382-a546-50588c410f0d
      type: similar
    - id: d635249d-86b5-4dad-a8c7-d7272b788586
      type: similar
    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
      type: similar
    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
      type: similar
    - id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
      type: similar
    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
      type: similar
    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
      type: similar
    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
      type: similar
    - id: b6e04788-29e1-4557-bb14-77f761848ab8
      type: similar
    - id: a0d7e4d2-bede-4141-8896-bc6e237e977c
      type: similar
    - id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
      type: similar
status: test
description: |
    Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2026-03-29
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - '\config\systemprofile\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Music\'
            - '\Pictures\'
            - '\Videos\'
            - '\Windows\addins\'
    filter_main_domains:
        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - '0x0.st'
            - 'anonfiles.com'
            - 'bashupload.com'
            - 'cdn.discordapp.com'
            - 'chunk.io'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
            - 'x0.at'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high