From 39db80478e36599be3b25d9cdbd2c168815c4ea3 Mon Sep 17 00:00:00 2001
From: Expected <44563041+CertainlyP@users.noreply.github.com>
Date: Mon, 29 Apr 2024 16:24:38 +0530
Subject: [PATCH] Merge PR #4834 from @CertainlyP - Add `Outbound Network
 Connection Initiated By Microsoft Dialer`

new: Outbound Network Connection Initiated By Microsoft Dialer

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...ection_win_dialer_initiated_connection.yml | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml

diff --git a/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml
new file mode 100644
index 00000000000..54d9bdb22b9
--- /dev/null
+++ b/rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml
@@ -0,0 +1,38 @@
+title: Outbound Network Connection Initiated By Microsoft Dialer
+id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
+status: experimental
+description: |
+    Detects outbound network connection initiated by Microsoft Dialer.
+    The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
+    This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
+references:
+    - hhttps://tria.ge/240301-rk34sagf5x/behavioral2
+    - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
+    - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
+    - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
+author: CertainlyP
+date: 2024/04/26
+tags:
+    - attack.execution
+    - attack.t1071.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Image|endswith: ':\Windows\System32\dialer.exe'
+        Initiated: 'true'
+    filter_main_local_ranges:
+        DestinationIp|cidr:
+            - '127.0.0.0/8'
+            - '10.0.0.0/8'
+            - '172.16.0.0/12'
+            - '192.168.0.0/16'
+            - '169.254.0.0/16'
+            - '::1/128'  # IPv6 loopback
+            - 'fe80::/10'  # IPv6 link-local addresses
+            - 'fc00::/7'  # IPv6 private addresses
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
+level: high