Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

Hunt Hypothesis

Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.

Detection Rule

Sigma (Original)

title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: test
description: |
    Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2025-12-10
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|contains:
            - ':\$Recycle.bin'
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Fonts\'
            - ':\Windows\IME\'
            - ':\Windows\System32\Tasks\'
            - ':\Windows\Tasks\'
            - '\config\systemprofile\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Music\'
            - '\Pictures\'
            - '\Videos\'
            - '\Windows\addins\'
    filter_main_domains:
        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
        DestinationHostname|endswith:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.co.nz'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imNetworkSession
| where (NetworkDirection =~ "true" and ((SrcProcessName contains ":\\$Recycle.bin" or SrcProcessName contains ":\\Perflogs\\" or SrcProcessName contains ":\\Temp\\" or SrcProcessName contains ":\\Users\\Default\\" or SrcProcessName contains ":\\Users\\Public\\" or SrcProcessName contains ":\\Windows\\Fonts\\" or SrcProcessName contains ":\\Windows\\IME\\" or SrcProcessName contains ":\\Windows\\System32\\Tasks\\" or SrcProcessName contains ":\\Windows\\Tasks\\" or SrcProcessName contains "\\config\\systemprofile\\" or SrcProcessName contains "\\Contacts\\" or SrcProcessName contains "\\Favorites\\" or SrcProcessName contains "\\Favourites\\" or SrcProcessName contains "\\Music\\" or SrcProcessName contains "\\Pictures\\" or SrcProcessName contains "\\Videos\\" or SrcProcessName contains "\\Windows\\addins\\") or (DstProcessName contains ":\\$Recycle.bin" or DstProcessName contains ":\\Perflogs\\" or DstProcessName contains ":\\Temp\\" or DstProcessName contains ":\\Users\\Default\\" or DstProcessName contains ":\\Users\\Public\\" or DstProcessName contains ":\\Windows\\Fonts\\" or DstProcessName contains ":\\Windows\\IME\\" or DstProcessName contains ":\\Windows\\System32\\Tasks\\" or DstProcessName contains ":\\Windows\\Tasks\\" or DstProcessName contains "\\config\\systemprofile\\" or DstProcessName contains "\\Contacts\\" or DstProcessName contains "\\Favorites\\" or DstProcessName contains "\\Favourites\\" or DstProcessName contains "\\Music\\" or DstProcessName contains "\\Pictures\\" or DstProcessName contains "\\Videos\\" or DstProcessName contains "\\Windows\\addins\\"))) and (not((DstHostname endswith ".githubusercontent.com" or DstHostname endswith "anonfiles.com" or DstHostname endswith "cdn.discordapp.com" or DstHostname endswith "ddns.net" or DstHostname endswith "dl.dropboxusercontent.com" or DstHostname endswith "ghostbin.co" or DstHostname endswith "github.com" or DstHostname endswith "glitch.me" or DstHostname endswith "gofile.io" or DstHostname endswith "hastebin.com" or DstHostname endswith "mediafire.com" or DstHostname endswith "mega.co.nz" or DstHostname endswith "mega.nz" or DstHostname endswith "onrender.com" or DstHostname endswith "pages.dev" or DstHostname endswith "paste.ee" or DstHostname endswith "pastebin.com" or DstHostname endswith "pastebin.pl" or DstHostname endswith "pastetext.net" or DstHostname endswith "portmap.io" or DstHostname endswith "privatlab.com" or DstHostname endswith "privatlab.net" or DstHostname endswith "send.exploit.in" or DstHostname endswith "sendspace.com" or DstHostname endswith "storage.googleapis.com" or DstHostname endswith "storjshare.io" or DstHostname endswith "supabase.co" or DstHostname endswith "temp.sh" or DstHostname endswith "transfer.sh" or DstHostname endswith "trycloudflare.com" or DstHostname endswith "ufile.io" or DstHostname endswith "w3spaces.com" or DstHostname endswith "workers.dev")))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Command and Control
• Technique: T1105 — T1105

References

• https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
• SigmaHQ Rule