heroui logo

Suspicious Network Connection Binary No CommandLine

Sigma Rules

View Source
Summary
This detection rule focuses on identifying potentially malicious network connections initiated by specific Windows binaries (regsvr32.exe, rundll32.exe, dllhost.exe) when they are executed without command line parameters. These binaries can be abused by attackers for launching payloads or executing malicious code while evading detection mechanisms that rely on command line scrutiny. The desired behavior is to catch instances where these binaries are executed as network connections but do not provide any command line context, indicating potentially suspicious activity. Given the nature of these binaries and their common legitimate uses, false positives are expected, and thus careful review of these alerts is recommended. The rule leverages network connection logs to discern patterns of execution, specifically filtering for those instances lacking command line arguments, thereby enhancing the detection of covert or stealthy operations that exploit trusted binaries.
Categories
  • Network
  • Windows
Data Sources
  • Network Traffic
  • Process
Created: 2022-07-03