Command Prompt Network Connection
Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/02/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
13remote URL.
14"""
15false_positives = [
16 """
17 Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
18 environment for network connections being made from the command prompt to determine any abnormal use of this tool.
19 """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Command Prompt Network Connection"
26references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
27risk_score = 21
28rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
29severity = "low"
30tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
31type = "eql"
32
33query = '''
34sequence by process.entity_id
35 [process where host.os.type == "windows" and process.name : "cmd.exe" and event.type == "start"]
36 [network where host.os.type == "windows" and process.name : "cmd.exe" and
37 not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
38 "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
39 "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
40 "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
41 "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
42 "FE80::/10", "FF00::/8")]
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1059"
50name = "Command and Scripting Interpreter"
51reference = "https://attack.mitre.org/techniques/T1059/"
52
53
54[rule.threat.tactic]
55id = "TA0002"
56name = "Execution"
57reference = "https://attack.mitre.org/tactics/TA0002/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1105"
62name = "Ingress Tool Transfer"
63reference = "https://attack.mitre.org/techniques/T1105/"
64
65
66[rule.threat.tactic]
67id = "TA0011"
68name = "Command and Control"
69reference = "https://attack.mitre.org/tactics/TA0011/"