Skip to content
Threat Feed
high advisory

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

This brief details a detection strategy for suspicious network connections originating from processes located in uncommon or typically protected Windows file system directories, often indicative of malware establishing command and control or exfiltrating data.

This threat brief focuses on detecting anomalous network activity where a process initiates a connection from an unusual or suspicious file system location on a Windows system. Adversaries commonly leverage such directories, including recycle bins, temporary folders, public user folders, or system profile paths, to evade detection by disguising malicious binaries or scripts as legitimate files. The observed behavior often serves as an early indicator of compromise, suggesting malware execution, ingress tool transfer (e.g., downloading additional payloads), or the establishment of command and control (C2) communication. Detecting these connections is crucial for identifying unauthorized software execution and preventing further stages of an attack, such as data exfiltration or lateral movement, by catching the initial outbound communication.

Impact

Successful execution of malicious processes from suspicious locations leading to network connections can have severe consequences, including full system compromise, data exfiltration, and the establishment of persistent backdoors. This activity often precedes the deployment of ransomware, wipers, or other destructive payloads, leading to significant financial losses, operational disruption, and reputational damage for affected organizations. Without timely detection, attackers can maintain a foothold, escalate privileges, and spread across the network unimpeded.

Recommendation

  • Deploy the Sigma rule "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" to your SIEM and tune for your environment to detect anomalous network connections.
  • Ensure network_connection logs are enabled for your Windows endpoints, preferably through Sysmon or a robust EDR solution, to provide the necessary telemetry for the detection rule.
  • Investigate all alerts generated by the provided Sigma rule, paying close attention to the Image path and the DestinationHostname to identify potentially malicious processes or C2 infrastructure.
  • Review processes executing from directories like C:\$Recycle.bin, C:\Temp\, C:\Users\Public\, or C:\Windows\Tasks\ that attempt to make outbound network connections.

Detection coverage 1

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

high

Detects a network connection initiated by programs or processes running from suspicious or uncommon file system locations on Windows endpoints, which often indicates malware or attacker activity.

sigma tactics: command_and_control techniques: T1105 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →