A newer version is available. For the latest information, see the
current release documentation.
Command Prompt Network Connectionedit
Identifies cmd.exe
making a network connection. Adversaries can abuse
cmd.exe
to download or execute malware from a remote URL.
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Potential false positivesedit
Administrators may use the command prompt for regular administrative tasks. It’s important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
Rule queryedit
process.name:cmd.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command-Line Interface
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Remote File Copy
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/