Skip to content
Threat Feed
high advisory

Network Connections from Processes in Suspicious Windows Directories

Detection of network connections originating from processes running within suspicious Windows directories, indicating potential malware execution and command-and-control activity.

This analytic identifies network connections initiated by processes located in unusual or suspicious Windows directories. These directories, including Recycle Bin, Config\SystemProfile, PerfLogs, Users\All Users, Users\Default, Users\Public, Windows\addins, Windows\Fonts, and Windows\IME, are often targeted by malware to execute malicious code while bypassing traditional security measures. The activity can represent a compromised endpoint and lead to command-and-control communication, staging of further attacks, or data exfiltration. Defenders should prioritize investigation of processes originating from these locations that initiate network connections.

Attack Chain

  1. Malware gains initial access via an exploit or social engineering.
  2. The malware drops an executable into a suspicious directory (e.g., $Recycle.Bin).
  3. The malware establishes persistence, potentially by creating a scheduled task or registry entry.
  4. The dropped executable initiates a network connection to an external IP address using standard protocols such as TCP or UDP.
  5. The malware receives commands from a command-and-control (C2) server.
  6. The malware stages additional payloads or tools in the compromised directory.
  7. The malware executes further malicious actions, such as data exfiltration.

Impact

Compromised endpoints can lead to significant data breaches, financial losses, and reputational damage. Malware residing in unusual directories allows attackers to bypass standard security measures and establish persistence on victim machines. This detection helps identify such compromises early, mitigating potential damage and limiting the attacker’s ability to further compromise the environment.

Recommendation

  • Deploy the Sigma rule Network Connection from Process in Suspicious Windows Directory to your SIEM and tune for your environment.
  • Enable Sysmon EventID 3 logging to capture network connection events, as specified in the data_source section.
  • Investigate any alerts generated by the Sigma rule to identify potentially compromised endpoints and malicious processes.
  • Review and allow trusted processes that legitimately run from these folders to reduce false positives, as mentioned in known_false_positives.
  • Implement network segmentation to limit the potential impact of compromised endpoints.

Detection coverage 2

Network Connection from Process in Suspicious Windows Directory

high

Detects network connections from processes running within suspicious Windows directories.

sigma tactics: command_and_control, defense_evasion techniques: T1011, T1071.001 sources: network_connection, windows

Network Connection from Process in Suspicious Windows Directory (Sysmon)

high

Detects network connections from processes running within suspicious Windows directories using Sysmon Event ID 3.

sigma tactics: command_and_control, defense_evasion techniques: T1011, T1071.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →