Suspicious Network Activity to the Internet by Previously Unknown Executable | Elastic Security Solution [8.6]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Suspicious Module Loaded by LSASS Suspicious Network Connection Attempt by Root »

Suspicious Network Activity to the Internet by Previously Unknown Executableedit

This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.

Rule type: new_terms

Rule indices:

auditbeat-*
filebeat-*
packetbeat-*
logs-endpoint.events.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-59m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Endgame

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

host.os.type:linux and event.category:network and
event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable : (
    (/etc/crontab or
     /etc/rc.local or
     /boot/* or
     /dev/shm/* or
     /etc/cron.*/* or
     /etc/init.d/* or
     /etc/rc*.d/* or
     /etc/update-motd.d/* or
     /home/*/.* or
     /run/* or
     /srv/* or
     /tmp/* or
     /usr/lib/update-notifier/* or
     /var/tmp/*) and
     not (/usr/bin/apt or
          /usr/bin/curl or
          /usr/bin/dnf or
          /usr/bin/dockerd or
          /usr/bin/dpkg or
          /usr/bin/rpm or
          /usr/bin/wget or
          /usr/bin/yum)
    )
and source.ip : (
    10.0.0.0/8 or
    127.0.0.0/8 or
    172.16.0.0/12 or
    192.168.0.0/16) and
    not destination.ip : (
        10.0.0.0/8 or
        100.64.0.0/10 or
        127.0.0.0/8 or
        169.254.0.0/16 or
        172.16.0.0/12 or
        192.0.0.0/24 or
        192.0.0.0/29 or
        192.0.0.10/32 or
        192.0.0.170/32 or
        192.0.0.171/32 or
        192.0.0.8/32 or
        192.0.0.9/32 or
        192.0.2.0/24 or
        192.168.0.0/16 or
        192.175.48.0/24 or
        192.31.196.0/24 or
        192.52.193.0/24 or
        192.88.99.0/24 or
        198.18.0.0/15 or
        198.51.100.0/24 or
        203.0.113.0/24 or
        224.0.0.0/4 or
        240.0.0.0/4 or
        "::1" or
        "FE80::/10" or
        "FF00::/8")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/

« Suspicious Module Loaded by LSASS Suspicious Network Connection Attempt by Root »