Potentially Suspicious Malware Callback Communication

Hunt Hypothesis

Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases

Detection Rule

Sigma (Original)

title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
      type: similar
status: test
description: |
    Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 100
            - 198
            - 200
            - 243
            - 473
            - 666
            - 700
            - 743
            - 777
            - 1443
            - 1515
            - 1777
            - 1817
            - 1904
            - 1960
            - 2443
            - 2448
            - 3360
            - 3675
            - 3939
            - 4040
            - 4433
            - 4438
            - 4443
            - 4444
            - 4455
            - 5445
            - 5552
            - 5649
            - 6625
            - 7210
            - 7777
            - 8143
            - 8843
            - 9631
            - 9943
            - 10101
            - 12102
            - 12103
            - 12322
            - 13145
            - 13394
            - 13504
            - 13505
            - 13506
            - 13507
            - 14102
            - 14103
            - 14154
            - 49180
            - 65520
            - 65535
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imNetworkSession
| where (NetworkDirection =~ "true" and (DstPortNumber in~ ("100", "198", "200", "243", "473", "666", "700", "743", "777", "1443", "1515", "1777", "1817", "1904", "1960", "2443", "2448", "3360", "3675", "3939", "4040", "4433", "4438", "4443", "4444", "4455", "5445", "5552", "5649", "6625", "7210", "7777", "8143", "8843", "9631", "9943", "10101", "12102", "12103", "12322", "13145", "13394", "13504", "13505", "13506", "13507", "14102", "14103", "14154", "49180", "65520", "65535"))) and (not((ipv4_is_in_range(DstIpAddr, "127.0.0.0/8") or ipv4_is_in_range(DstIpAddr, "10.0.0.0/8") or ipv4_is_in_range(DstIpAddr, "172.16.0.0/12") or ipv4_is_in_range(DstIpAddr, "192.168.0.0/16") or ipv4_is_in_range(DstIpAddr, "169.254.0.0/16") or ipv4_is_in_range(DstIpAddr, "::1/128") or ipv4_is_in_range(DstIpAddr, "fe80::/10") or ipv4_is_in_range(DstIpAddr, "fc00::/7")))) and (not(((SrcProcessName startswith "C:\\Program Files\\" or SrcProcessName startswith "C:\\Program Files (x86)\\") or (DstProcessName startswith "C:\\Program Files\\" or DstProcessName startswith "C:\\Program Files (x86)\\"))))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Persistence
• Tactic: Command and Control
• Technique: T1571 — T1571

References

• https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
• SigmaHQ Rule