Skip to content

Hide Navigation Hide TOC

Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277)

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Cluster A Galaxy A Cluster B Galaxy B Level
Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277) Sigma-Rules Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 1
Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2