Perl Outbound Network Connection

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when Perl makes an outbound network connection to a non-private IP address. Perl is a scripting 
 11language that comes pre-installed on macOS and offers extensive capabilities for adversaries. Its use for 
 12network connections on macOS systems is uncommon and potentially suspicious.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.network-*", "logs-endpoint.events.process-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Perl Outbound Network Connection"
 19note = """ ## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Perl Outbound Network Connection
 25
 26This rule detects Perl starting on macOS and then initiating an outbound connection to a public (non-private) IP, a pattern that stands out because Perl rarely performs direct network reach-outs in normal macOS workflows. Attackers often abuse Perl as a built-in “living off the land” runtime to beacon to external command-and-control over HTTP/S or to fetch and execute a second-stage payload from an internet host.
 27
 28### Possible investigation steps
 29
 30- Review the full command line, parent/child process tree, execution context (user, TTY, working directory), and referenced script/module paths to determine whether the run was expected or suspicious.  
 31- Pivot on the external destination (IP, port, and any resolved domain from DNS telemetry) to assess reputation, hosting characteristics, and whether other endpoints have recently contacted the same infrastructure.  
 32- Examine connection characteristics (protocol, TLS SNI/certificate, HTTP headers/user-agent, data volume, and timing) to identify staged downloads or beacon-like periodicity.  
 33- Correlate nearby file activity for newly created or modified scripts, temp artifacts, or downloaded payloads, and validate them via hashes, signatures, and known-good baselines.  
 34- Check for follow-on behavior consistent with persistence or lateral movement, such as new launchd/cron items, suspicious login items, or additional interpreters and shells spawned from the same lineage.
 35
 36### False positive analysis
 37
 38- A legitimate Perl script run by an administrator or scheduled maintenance task (e.g., log rotation, health checks, or API polling) may connect to a public service endpoint over HTTP/S, matching the Perl exec followed by a non-private destination IP pattern.  
 39- A developer workflow that uses Perl one-liners or project scripts to fetch dependencies, query internet-hosted resources, or validate external URLs can generate outbound connections to public IPs that appear unusual on endpoints without an established baseline for Perl network use.
 40
 41### Response and remediation
 42
 43- Isolate the affected macOS host from the network (or block the specific destination IP/port at the egress firewall) and terminate the suspicious `perl` process to stop any active command-and-control or payload download.  
 44- Collect and preserve the Perl command line, referenced script paths, current working directory, any newly written files (especially in `/tmp`, `/var/tmp`, and the user’s `~/Library`), and the full process tree for forensic review before cleanup.  
 45- Remove or quarantine the identified Perl script and any downloaded payloads, then eradicate persistence by deleting malicious `launchd` agents/daemons, cron entries, and suspicious Login Items created around the time of the outbound connection.  
 46- Reimage or restore the endpoint from a known-good source if integrity cannot be confidently validated, rotate credentials used on the device, and invalidate active sessions/tokens that may have been exposed to the Perl process.  
 47- Escalate to IR/forensics immediately if the destination infrastructure is contacted by multiple hosts, the Perl process runs under a privileged context, or you observe repeated beacon-like connections or evidence of persistence beyond a single script execution.  
 48- Harden by restricting interpreter execution (Perl, Python, Ruby) via endpoint controls, enforcing outbound allowlisting/proxying for user endpoints, and adding detections for Perl launching network tools or writing executable content into user-writable directories.
 49"""
 50risk_score = 47
 51rule_id = "aba3bc11-e02f-4a03-8889-d86ea1a44f76"
 52severity = "medium"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: macOS",
 56    "Use Case: Threat Detection",
 57    "Tactic: Command and Control",
 58    "Tactic: Execution",
 59    "Data Source: Elastic Defend",
 60    "Resources: Investigation Guide",
 61]
 62type = "eql"
 63query = '''
 64sequence by process.entity_id with maxspan=30s
 65  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
 66    process.name == "perl" and not process.args like "/usr/bin/xpath"]
 67  [network where host.os.type == "macos" and event.type == "start" and process.name == "perl" and
 68    not cidrmatch(destination.ip, 
 69        "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", 
 70        "192.0.0.0/24", "192.0.2.0/24", "192.168.0.0/16", "192.88.99.0/24",
 71        "224.0.0.0/4", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")]
 72'''
 73
 74[[rule.threat]]
 75framework = "MITRE ATT&CK"
 76
 77  [rule.threat.tactic]
 78  name = "Command and Control"
 79  id = "TA0011"
 80  reference = "https://attack.mitre.org/tactics/TA0011/"
 81
 82  [[rule.threat.technique]]
 83  name = "Application Layer Protocol"
 84  id = "T1071"
 85  reference = "https://attack.mitre.org/techniques/T1071/"
 86
 87    [[rule.threat.technique.subtechnique]]
 88    name = "Web Protocols"
 89    id = "T1071.001"
 90    reference = "https://attack.mitre.org/techniques/T1071/001/"
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94
 95  [rule.threat.tactic]
 96  name = "Execution"
 97  id = "TA0002"
 98  reference = "https://attack.mitre.org/tactics/TA0002/"
 99
100  [[rule.threat.technique]]
101  name = "Command and Scripting Interpreter"
102  id = "T1059"
103  reference = "https://attack.mitre.org/techniques/T1059/"