Suspicious Outbound Network Connection via Unsigned Binary

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/01/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the execution of an unsigned or untrusted binary followed by an outbound network connection to a 
11raw IP address on a non-standard port. Many malicious payloads will connect directly to C2 or a payload 
12server using non-standard ports.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious Outbound Network Connection via Unsigned Binary"
19risk_score = 73
20rule_id = "e7e0588b-2b55-4f88-afd1-cf98e95e0f58"
21severity = "high"
22tags = [
23    "Domain: Endpoint",
24    "OS: macOS",
25    "Use Case: Threat Detection",
26    "Tactic: Command and Control",
27    "Data Source: Elastic Defend",
28    "Resources: Investigation Guide"
29]
30type = "eql"
31note = """## Triage and analysis
32
33> **Disclaimer**:
34> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
35
36### Investigating Suspicious Outbound Network Connection via Unsigned Binary
37
38Unsigned or untrusted binaries making outbound network connections to raw IP addresses on non-standard ports is a significant indicator of malware activity. Legitimate macOS applications are typically code-signed by Apple or identified developers, while malware often lacks valid signatures. This detection rule identifies this suspicious combination of unsigned binaries with network activity to detect potential command and control communication or data exfiltration attempts.
39
40### Possible investigation steps
41
42- Review the process.executable and process.hash fields to identify the unsigned binary and search for its hash in threat intelligence databases and malware repositories.
43- Examine the process.code_signature fields to understand why the binary is untrusted, including whether it lacks a signature entirely or has an invalid or revoked certificate.
44- Analyze the destination.ip and destination.port fields to identify the remote endpoint and research it in threat intelligence sources for known malicious infrastructure.
45- Investigate the process.parent.executable and process.command_line to understand how the unsigned binary was launched and trace the execution chain to the initial access vector.
46- Review file.creation and file.modification events to determine when and how the unsigned binary was placed on the system.
47- Check for persistence mechanisms that may have been created by or for the unsigned binary, such as LaunchAgents, LaunchDaemons, or cron jobs.
48- Correlate with other network events from the same host to identify patterns of C2 communication or additional indicators of compromise.
49
50### False positive analysis
51
52- Custom internal tools developed in-house may be unsigned and require network access for legitimate business purposes. Verify with development teams and consider adding specific exclusions.
53- Development builds and testing environments may use unsigned binaries during the software development lifecycle. Document these activities and create targeted exceptions.
54- Open-source utilities compiled locally may not have code signatures. Evaluate these on a case-by-case basis and add to exclusion lists if verified safe.
55- Homebrew and other package manager binaries are already excluded but verify that legitimate tools from these sources are not being flagged.
56
57### Response and remediation
58
59- Immediately terminate the unsigned process and block the destination IP address at network perimeters and endpoint firewalls.
60- Quarantine the unsigned binary for forensic analysis and malware reverse engineering.
61- Conduct a comprehensive scan of the affected system to identify additional malware components, persistence mechanisms, or lateral movement indicators.
62- Investigate how the unsigned binary was delivered to the system and remediate the initial access vector.
63- Review other systems in the environment for the same binary hash or similar indicators of compromise.
64- Implement application allowlisting policies to prevent unauthorized unsigned binaries from executing.
65- Escalate to the incident response team for further investigation if the binary is confirmed malicious.
66"""
67query = '''
68sequence by process.entity_id with maxspan=1m
69  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and 
70    (process.code_signature.trusted == false or process.code_signature.exists == false) and
71    process.args_count == 1 and
72    not process.executable like "/opt/homebrew/*"]
73  [network where host.os.type == "macos" and event.type == "start" and 
74    destination.domain == null and 
75    not destination.port in (443, 80, 53, 22, 25, 587, 993, 465, 8080, 8200, 9200) and 
76    destination.port < 49152 and
77    not cidrmatch(destination.ip, "0.0.0.0", "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", 
78                  "198.19.0.0/16", "192.18.0.0/15", "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", 
79                  "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "192.31.196.0/24", 
80                  "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "100.64.0.0/10", 
81                  "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
82                  "::1", "FE80::/10", "FF00::/8")]
83'''
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87
88  [rule.threat.tactic]
89  name = "Command and Control"
90  id = "TA0011"
91  reference = "https://attack.mitre.org/tactics/TA0011/"
92
93  [[rule.threat.technique]]
94  name = "Non-Standard Port"
95  id = "T1571"
96  reference = "https://attack.mitre.org/techniques/T1571/"