Suspicious Command Prompt Network Connection

  1[metadata]
  2creation_date = "2020/02/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/02/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a network connection by the command prompt (cmd.exe) when it is executed with specific arguments, such as a
 11script or a URL, or when it is spawned by Microsoft Office applications. Adversaries often abuse cmd.exe to download
 12malicious payloads or establish command and control channels from a remote source.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.network-*",
 19    "logs-windows.sysmon_operational-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious Command Prompt Network Connection"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious Command Prompt Network Connection
 31
 32This alert identifies a Windows `cmd.exe` process start event that is quickly followed by a network connection from the same `cmd.exe` instance (`process.entity_id`). The command line indicates scripted execution (batch files), references to remote resources (URL-like strings), or execution launched by a Microsoft Office application. This pattern can be used to download payloads, stage execution, or establish command and control.
 33
 34#### Triage and analysis steps
 35
 36- Confirm the matched sequence and keep analysis tied to the correct process instance:
 37  - Use the `Investigate in timeline` button in the Alerts table or pivot on `process.entity_id` to review both the process start event and the associated network event(s).
 38  - Example KQL pivots:
 39    - `process.entity_id:"<process_entity_id>" and event.category:process`
 40    - `process.entity_id:"<process_entity_id>" and event.category:network`
 41
 42- Determine why `cmd.exe` matched and assess intent:
 43  - Review `process.args` to confirm the interpreter switch (`/c` to execute and exit, `/k` to remain open).
 44  - Identify which match condition applies:
 45    - Batch script: `process.args` includes a `.bat` or `.cmd` reference.
 46    - Remote resource: `process.command_line` contains `http://`, `https://`, or `ftp://`.
 47    - Office parent: `process.parent.name` is one of `winword.exe`, `excel.exe`, `powerpnt.exe`, `outlook.exe`, `msaccess.exe`, or `mspub.exe`.
 48  - Look for staging or obfuscation patterns in `process.command_line` (for example: `&`/`&&`/`||`, pipes `|`, redirection `>`/`>>`, escaping `^`, environment variables, or long encoded strings).
 49
 50- Validate the execution context and launch vector:
 51  - Review `user.*` fields to determine who ran the command and whether it is expected for the host role.
 52  - Review `process.parent.name` (and `process.parent.command_line` if available) to understand the initial trigger:
 53    - Office parent: prioritize identifying the initiating document or message and any user interaction around `@timestamp`.
 54    - Management tooling or installer parent: validate change control and whether the command line and destination are consistent with that software.
 55  - If a batch script is referenced, locate the script on the host (if telemetry allows) and capture path and hash (`file.path`, `file.hash.sha256`) for scoping.
 56
 57- Analyze the outbound destination:
 58  - Review `destination.ip` and `destination.port` for expectedness (business relationship, known vendor, or organization-owned public IP space).
 59  - Note: the rule excludes common private and reserved address ranges, but it can still alert on connections to legitimate public services.
 60  - Pivot on `destination.ip` to identify other hosts contacting the same destination near `@timestamp`:
 61    - `destination.ip:"<destination_ip>" and event.category:network`
 62  - Check whether the same `process.entity_id` generated repeated connections (potential beaconing) versus a single connection (one-time retrieval).
 63
 64- Reconstruct follow-on activity and potential impact:
 65  - Identify child processes spawned by `cmd.exe` and look for common follow-on tooling (for example: `powershell.exe`, `mshta.exe`, `rundll32.exe`, `regsvr32.exe`, `certutil.exe`, `bitsadmin.exe`, `curl.exe`, `wget.exe`).
 66  - If file telemetry is available, review file creation/modification shortly after `@timestamp` and correlate any new binaries or scripts with hashes and execution events.
 67
 68- Scope the activity (blast radius):
 69  - Search for the same `process.command_line` (or distinctive substrings), script name, or extracted URL across endpoints.
 70  - Search for other `cmd.exe` instances connecting to the same `destination.ip` or the same destination port/protocol.
 71  - If the parent is Office, scope for the same parent-child relationship (`process.parent.name` -> `cmd.exe`) across users and hosts.
 72
 73### False positive analysis
 74
 75- Software deployment, packaging, or endpoint management workflows that use `cmd.exe /c` to run batch scripts and contact vendor services.
 76- Signed installer or updater activity where `cmd.exe` is used as a helper process with stable command lines.
 77- Documented Office macros/add-ins/templates that legitimately spawn `cmd.exe` with consistent command lines and destinations.
 78
 79A benign determination is more likely when the combination of `process.parent.name`, stable `process.command_line`, and consistent `destination.ip`/`destination.port` repeats across an expected set of hosts and users and aligns to a documented workflow owner.
 80
 81### Response and remediation
 82
 83- If the activity is suspicious or cannot be attributed to an approved workflow:
 84  - Contain the affected endpoint (`host.id`) using available endpoint or network controls.
 85  - Preserve evidence (at minimum):
 86    - `@timestamp`, `host.*`, `user.*`
 87    - `process.entity_id`, `process.command_line`, `process.args`, `process.parent.*`
 88    - `destination.ip`, `destination.port`, `network.*`
 89    - Any related child processes and file artifacts (paths and hashes) identified during triage
 90  - Scope for related activity by searching for additional occurrences of the same destination and command-line patterns.
 91  - If Office is the launch vector, identify and quarantine the initiating document or email and assess whether similar content was delivered to other users.
 92  - If a script is involved, collect and review the script contents and investigate how it was introduced (downloads, email attachments, shared drives, logon scripts, scheduled tasks).
 93  - If account compromise is suspected, follow established identity response procedures (credential reset, session review, and access auditing).
 94
 95- If the activity is confirmed benign:
 96  - Document the expected parent process, command-line pattern, and destinations.
 97  - Consider adding a narrowly scoped exception using stable identifiers and constrained conditions (for example, specific `process.command_line` patterns and known destinations) to reduce recurring noise.
 98"""
 99references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
100risk_score = 21
101rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
102severity = "low"
103tags = [
104    "Domain: Endpoint",
105    "OS: Windows",
106    "Use Case: Threat Detection",
107    "Tactic: Execution",
108    "Resources: Investigation Guide",
109    "Data Source: Elastic Defend",
110    "Data Source: Sysmon",
111    "Data Source: SentinelOne",
112]
113type = "eql"
114
115query = '''
116sequence by process.entity_id with maxspan=15s
117  [process where host.os.type == "windows" and event.type == "start" and
118    process.name : "cmd.exe" and process.args : ("/c", "/k") and
119    (
120      process.args : ("*.bat", "*.cmd") or
121      process.command_line : ("*http://*", "*https://*", "*ftp://*") or
122      process.parent.name : ("excel.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe")
123    )
124  ]
125  [network where host.os.type == "windows" and process.name : "cmd.exe" and
126     not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
127                                  "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
128                                  "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
129                                  "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
130                                  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
131                                  "FE80::/10", "FF00::/8")]
132'''
133
134
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137[[rule.threat.technique]]
138id = "T1059"
139name = "Command and Scripting Interpreter"
140reference = "https://attack.mitre.org/techniques/T1059/"
141
142
143[rule.threat.tactic]
144id = "TA0002"
145name = "Execution"
146reference = "https://attack.mitre.org/tactics/TA0002/"
147[[rule.threat]]
148framework = "MITRE ATT&CK"
149[[rule.threat.technique]]
150id = "T1105"
151name = "Ingress Tool Transfer"
152reference = "https://attack.mitre.org/techniques/T1105/"
153
154
155[rule.threat.tactic]
156id = "TA0011"
157name = "Command and Control"
158reference = "https://attack.mitre.org/tactics/TA0011/"
159
160[rule.investigation_fields]
161field_names = [
162    "@timestamp",
163    "host.name",
164    "host.id",
165    "user.name",
166    "user.domain",
167    "user.id",
168    "process.entity_id",
169    "process.name",
170    "process.parent.name"
171]