Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

About the rule

Rule Type

Standard

Rule Description

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder is an instance where a executable process in a suspicious folder triggers a communication to a know file sharing application domains such as Dropbox, GoogleDrive, etc., for data staging or exfiltration by a malware.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access (spear-phishing) → Execution (through AgentTesla) → Collection → Defense Evasion → Impact

Impact

• To maintain access, the malware configures itself to run at login from suspicious folders
• The malware enumerates user files and system metadata to identify sensitive documents
• Data exfiltration

Rule Requirement

Prerequisites

• Download and install Sysmon from Microsoft Sysinternals. Then, open Command Prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -

sysmon.exe -i [configfile.xml].

• Add network connection events in your configuration file to monitor, using -

<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>

• Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
• Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Command and Control: Ingress Tool Transfer (T1105)

Security Standards

Enabling this rule will help you meet the security standard's requirements listed below:

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected.

This security framework ensures that organizations can secure their data against unauthorized access, alteration, or transmission. Encryption techniques (SSL or TLS), using data integrity measures, documenting network traffic are a few preventive measures for data leak.

DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events.

Monitoring user activities and interactions with systems to track actions like logins, file access, or use of sensitive systems to identify suspicious behavior. By analyzing and correlating activity patterns in real time, organizations can quickly detect anomalies and potential threats.

Author

Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

Network communication to file-sharing domains from suspicious folders is typically legitimate when processes or software running from user or temporary directories (suspicious) interact with cloud storage or file sharing services.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify the event and check if the flagged incident is new or part of an existing one.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
4. Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.

Mitigation