Windows Network Connection From Program In Suspect Location

name: Windows Network Connection From Program In Suspect Location
id: 90fd571b-78d4-409e-a2de-0f0a80c75a84
version: 2
creation_date: '2026-05-05'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: Anomaly
description: |-
    The following analytic detects network connections from processes running out of suspicious Windows directories such as Recycle Bin, Public, PerfLogs, systemprofile, Fonts, IME, and Addins paths.
    This activity is significant because malware often executes from writable or unusual directories while communicating with external infrastructure.
    If confirmed malicious, the process may represent command-and-control, staging, or data exfiltration activity from a compromised endpoint.
data_source:
    - Sysmon EventID 3
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
    
    from datamodel=Network_Traffic.All_Traffic where
    
    All_Traffic.app IN (
        "*\\$Recycle.Bin\\*",
        "*\\Config\\SystemProfile\\*",
        "*\\PerfLogs\\*",
        "*\\Users\\All Users\\*",
        "*\\Users\\Default\\*",
        "*\\Users\\Public\\*",
        "*\\Windows\\addins\\*",
        "*\\Windows\\Fonts\\*",
        "*\\Windows\\IME\\*"
    )
    
    by All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.src
       All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.protocol
       All_Traffic.protocol_version All_Traffic.direction All_Traffic.action All_Traffic.app
       All_Traffic.dvc All_Traffic.user All_Traffic.vendor_product
    
    | `drop_dm_object_name(All_Traffic)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `windows_network_connection_from_program_in_suspect_location_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Some legitimate system or security tools may run from these folders and create network connections. Review and allow trusted processes to reduce false positives.
references:
    - https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml
drilldown_searches:
    - earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
      name: View the detection results for - "$user$" and "$dest$"
      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: Network connection from binary running from suspicious process location observed on $dest$.
analytic_story:
    - Compromised Windows Host
asset_type: Endpoint
mitre_attack_id:
    - T1011
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1011/snapattack/snapattack.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog
      test_type: unit