Command Prompt Network Connection

calendarMar 5, 2023  ยท
Share on: linkedincopy

Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
13remote URL.
14"""
15false_positives = [
16    """
17    Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
18    environment for network connections being made from the command prompt to determine any abnormal use of this tool.
19    """,
20]
21from = "now-9m"
22index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Command Prompt Network Connection"
26references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
27risk_score = 21
28rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
29severity = "low"
30tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
31type = "eql"
32
33query = '''
34sequence by process.entity_id
35  [process where host.os.type == "windows" and process.name : "cmd.exe" and event.type == "start"]
36  [network where host.os.type == "windows" and process.name : "cmd.exe" and
37     not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
38                                  "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
39                                  "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
40                                  "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
41                                  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
42                                  "FE80::/10", "FF00::/8")]
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1059"
50name = "Command and Scripting Interpreter"
51reference = "https://attack.mitre.org/techniques/T1059/"
52
53
54[rule.threat.tactic]
55id = "TA0002"
56name = "Execution"
57reference = "https://attack.mitre.org/tactics/TA0002/"
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1105"
62name = "Ingress Tool Transfer"
63reference = "https://attack.mitre.org/techniques/T1105/"
64
65
66[rule.threat.tactic]
67id = "TA0011"
68name = "Command and Control"
69reference = "https://attack.mitre.org/tactics/TA0011/"

to-top