Detection: Windows Network Connection From Program In Suspect Location

Description

The following analytic detects network connections from processes running out of suspicious Windows directories such as Recycle Bin, Public, PerfLogs, systemprofile, Fonts, IME, and Addins paths. This activity is significant because malware often executes from writable or unusual directories while communicating with external infrastructure. If confirmed malicious, the process may represent command-and-control, staging, or data exfiltration activity from a compromised endpoint.

Search

 1
 2| tstats `security_content_summariesonly`
 3  count min(_time) as firstTime
 4        max(_time) as lastTime
 5
 6from datamodel=Network_Traffic.All_Traffic where
 7
 8All_Traffic.app IN (
 9    "*\\$Recycle.Bin\\*",
10    "*\\Config\\SystemProfile\\*",
11    "*\\PerfLogs\\*",
12    "*\\Users\\All Users\\*",
13    "*\\Users\\Default\\*",
14    "*\\Users\\Public\\*",
15    "*\\Windows\\addins\\*",
16    "*\\Windows\\Fonts\\*",
17    "*\\Windows\\IME\\*"
18)
19
20by All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.src
21   All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.protocol
22   All_Traffic.protocol_version All_Traffic.direction All_Traffic.action All_Traffic.app
23   All_Traffic.dvc All_Traffic.user All_Traffic.vendor_product
24
25
26| `drop_dm_object_name(All_Traffic)`
27
28| `security_content_ctime(firstTime)`
29
30| `security_content_ctime(lastTime)`
31
32| `windows_network_connection_from_program_in_suspect_location_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 3	Windows	'XmlWinEventLog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Some legitimate system or security tools may run from these folders and create network connections. Review and allow trusted processes to reduce false positives.

Associated Analytic Story

• Compromised Windows Host

Risk Based Analytics (RBA)

Risk Message:

Network connection from binary running from suspicious process location observed on $dest$.

References

• https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1