Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add caspol network connection#5877

Open
davidljohnson wants to merge 2 commits intoSigmaHQ:masterfrom
davidljohnson:add-caspol-network-connection
Open

Add caspol network connection#5877
davidljohnson wants to merge 2 commits intoSigmaHQ:masterfrom
davidljohnson:add-caspol-network-connection

Conversation

@davidljohnson
Copy link

@davidljohnson davidljohnson commented Feb 20, 2026

Summary of the Pull Request

New rule to detect network connections initiated by CasPol.exe (.NET Framework CAS Policy Manager). CasPol.exe has no legitimate reason to make network connections and is abused as a process hollowing target by malware including XWorm.

There are no existing SigmaHQ rules covering CasPol.exe. This follows the established pattern of per-binary network connection rules (similar to the existing rundll32, wuauclt, and dllhost network connection rules).

Validated via attack emulation on Windows 10 with Sysmon v15.15. The emulation was based on techniques documented in a real XWorm v5.6 LATAM campaign analyzed by ANY.RUN.

Changelog

new: CasPol.EXE Initiated Network Connection

Example Log Event

EventID: 3
Image: C:\Users\Public\Downloads\CasPol.exe
User: YOURWORKSTATION\user
Protocol: tcp
Initiated: true
SourceIp: 127.0.0.1
SourcePort: 49681
DestinationIp: 127.0.0.1
DestinationPort: 7000

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Feb 20, 2026
swachchhanda000
swachchhanda000 reviewed Feb 24, 2026
View reviewed changes
Copy link
Collaborator

@swachchhanda000 swachchhanda000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @davidljohnson,

Thanks for the PR.

Before we dive in, I have some questions. How do we know that CasPol.exe doesn't make any network connections in general? In Windows, unexpected/weird things happen, so we cannot just assume things. For example if it makes some connections locally, it's going to create tons of false positives, which is very bad for a high-level rule.

Do you have any supporting resources you can share to confirm that's not the case? In fact, if you could look at the telemetry of some enterprise environment and test whether it creates some false positives, that would be helpful.

@swachchhanda000 swachchhanda000 added Author Input Required changes the require information from original author of the rules Additional Data Needed labels Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Additional Data Needed Author Input Required changes the require information from original author of the rules Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidljohnson @swachchhanda000