security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4834 from @CertainlyP - Add Outbound Network Connection Initiated By Microsoft Dialer
Create Release / Create Release (push) Waiting to run
Details

Browse Source 
new: Outbound Network Connection Initiated By Microsoft Dialer 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Expected
2024-04-29 16:24:38 +05:30
committed by GitHub
parent 6ac6153976
commit 39db80478e
1 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml
+38
View File
@@ -0,0 +1,38 @@
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: experimental
description: |
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
- hhttps://tria.ge/240301-rk34sagf5x/behavioral2
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024/04/26
tags:
- attack.execution
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: ':\Windows\System32\dialer.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high