Detection rules › Sigma
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1559.001 Inter-Process Communication: Component Object Model |
| Stealth | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 3 | Network connection |
Rule body yaml
title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
id: cfed2f44-16df-4bf3-833a-79405198b277
status: test
description: |
Detects Dllhost.EXE initiating a network connection to a non-local IP address.
Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
An initial baseline is recommended before deployment.
references:
- https://redcanary.com/blog/child-processes/
- https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
author: bartblaze
date: 2020-07-13
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218
- attack.execution
- attack.t1559.001
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\dllhost.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_msrange:
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
- '150.171.0.0/19' # Microsoft Corporation
- '204.79.197.0/24' # Microsoft Corporation'
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Stages and Predicates
Stage 0: condition
selection and not 1 of filter_main_*Stage 1: selection
selection:
Image|endswith: '\dllhost.exe'
Initiated: 'true'
Stage 2: not filter_main_*
filter_main_local_ranges:
DestinationIp|cidr:
- '::1/128'
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7'
- 'fe80::/10'
filter_main_msrange:
DestinationIp|cidr:
- '20.184.0.0/13'
- '20.192.0.0/10'
- '23.72.0.0/13'
- '51.10.0.0/15'
- '51.103.0.0/16'
- '51.104.0.0/15'
- '52.224.0.0/11'
- '150.171.0.0/19'
- '204.79.197.0/24'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
DestinationIp | cidr_match | 10.0.0.0/8 |
DestinationIp | cidr_match | 127.0.0.0/8 |
DestinationIp | cidr_match | 150.171.0.0/19 |
DestinationIp | cidr_match | 169.254.0.0/16 |
DestinationIp | cidr_match | 172.16.0.0/12 |
DestinationIp | cidr_match | 192.168.0.0/16 |
DestinationIp | cidr_match | 20.184.0.0/13 |
DestinationIp | cidr_match | 20.192.0.0/10 |
DestinationIp | cidr_match | 204.79.197.0/24 |
DestinationIp | cidr_match | 23.72.0.0/13 |
DestinationIp | cidr_match | 51.10.0.0/15 |
DestinationIp | cidr_match | 51.103.0.0/16 |
DestinationIp | cidr_match | 51.104.0.0/15 |
DestinationIp | cidr_match | 52.224.0.0/11 |
DestinationIp | cidr_match | ::1/128 |
DestinationIp | cidr_match | fc00::/7 |
DestinationIp | cidr_match | fe80::/10 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.