Skip to content

Hide Navigation Hide TOC

Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277)

Detects dllhost initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.

Cluster A Galaxy A Cluster B Galaxy B Level
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277) Sigma-Rules 1
Dllhost.EXE Initiated Network Connection To Non-Local IP Address (cfed2f44-16df-4bf3-833a-79405198b277) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 2