EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Dllhost.EXE Initiated Network Connection To Non-Local IP Address

Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

MITRE ATT&CK

T1218T1559.001
defense-evasionexecution

Detection Query

selection:
  Image|endswith: \dllhost.exe
  Initiated: "true"
filter_main_local_ranges:
  DestinationIp|cidr:
    - ::1/128
    - 10.0.0.0/8
    - 127.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 169.254.0.0/16
    - fc00::/7
    - fe80::/10
filter_main_msrange:
  DestinationIp|cidr:
    - 20.184.0.0/13
    - 20.192.0.0/10
    - 23.72.0.0/13
    - 51.10.0.0/15
    - 51.103.0.0/16
    - 51.104.0.0/15
    - 52.224.0.0/11
    - 150.171.0.0/19
    - 204.79.197.0/24
condition: selection and not 1 of filter_main_*

Author

bartblaze

Created

2020-07-13

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1218attack.executionattack.t1559.001detection.threat-hunting
Raw Content
title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
id: cfed2f44-16df-4bf3-833a-79405198b277
status: test
description: |
    Detects Dllhost.EXE initiating a network connection to a non-local IP address.
    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
    An initial baseline is recommended before deployment.
references:
    - https://redcanary.com/blog/child-processes/
    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
author: bartblaze
date: 2020-07-13
modified: 2024-07-16
tags:
    - attack.defense-evasion
    - attack.t1218
    - attack.execution
    - attack.t1559.001
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\dllhost.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_msrange:
        DestinationIp|cidr:
            - '20.184.0.0/13' # Microsoft Corporation
            - '20.192.0.0/10' # Microsoft Corporation
            - '23.72.0.0/13'  # Akamai International B.V.
            - '51.10.0.0/15'  # Microsoft Corporation
            - '51.103.0.0/16' # Microsoft Corporation
            - '51.104.0.0/15' # Microsoft Corporation
            - '52.224.0.0/11'  # Microsoft Corporation
            - '150.171.0.0/19'  # Microsoft Corporation
            - '204.79.197.0/24' # Microsoft Corporation'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
level: medium