Suspicious Network Activity to the Internet by Previously Unknown Executable
This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/14"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
6min_stack_version = "8.6.0"
7updated_date = "2023/07/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious
13directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially
14malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to
15unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can
16help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
17"""
18from = "now-59m"
19index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Suspicious Network Activity to the Internet by Previously Unknown Executable"
23risk_score = 21
24rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b"
25severity = "low"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "new_terms"
29
30query = '''
31host.os.type:linux and event.category:network and
32event.action:(connection_attempted or ipv4_connection_attempt_event) and
33process.executable : (
34 (/etc/crontab or
35 /etc/rc.local or
36 /boot/* or
37 /dev/shm/* or
38 /etc/cron.*/* or
39 /etc/init.d/* or
40 /etc/rc*.d/* or
41 /etc/update-motd.d/* or
42 /home/*/.* or
43 /run/* or
44 /srv/* or
45 /tmp/* or
46 /usr/lib/update-notifier/* or
47 /var/tmp/*) and
48 not (/usr/bin/apt or
49 /usr/bin/curl or
50 /usr/bin/dnf or
51 /usr/bin/dockerd or
52 /usr/bin/dpkg or
53 /usr/bin/rpm or
54 /usr/bin/wget or
55 /usr/bin/yum)
56 )
57and source.ip : (
58 10.0.0.0/8 or
59 127.0.0.0/8 or
60 172.16.0.0/12 or
61 192.168.0.0/16) and
62 not destination.ip : (
63 10.0.0.0/8 or
64 100.64.0.0/10 or
65 127.0.0.0/8 or
66 169.254.0.0/16 or
67 172.16.0.0/12 or
68 192.0.0.0/24 or
69 192.0.0.0/29 or
70 192.0.0.10/32 or
71 192.0.0.170/32 or
72 192.0.0.171/32 or
73 192.0.0.8/32 or
74 192.0.0.9/32 or
75 192.0.2.0/24 or
76 192.168.0.0/16 or
77 192.175.48.0/24 or
78 192.31.196.0/24 or
79 192.52.193.0/24 or
80 192.88.99.0/24 or
81 198.18.0.0/15 or
82 198.51.100.0/24 or
83 203.0.113.0/24 or
84 224.0.0.0/4 or
85 240.0.0.0/4 or
86 "::1" or
87 "FE80::/10" or
88 "FF00::/8")
89'''
90
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93
94[[rule.threat.technique]]
95id = "T1071"
96name = "Application Layer Protocol"
97reference = "https://attack.mitre.org/techniques/T1071/"
98
99[rule.threat.tactic]
100id = "TA0011"
101name = "Command and Control"
102reference = "https://attack.mitre.org/tactics/TA0011/"
103
104[rule.new_terms]
105field = "new_terms_fields"
106value = ["destination.ip", "process.executable"]
107
108[[rule.new_terms.history_window_start]]
109field = "history_window_start"
110value = "now-7d"
Related rules
- Deprecated - Potential DNS Tunneling via Iodine
- Potential Protocol Tunneling via EarthWorm
- Attempt to Disable Syslog Service
- BPF filter applied using TC
- Base16 or Base32 Encoding/Decoding Activity