Suspicious Network Activity to the Internet by Previously Unknown Executable

edit

Suspicious Network Activity to the Internet by Previously Unknown Executable

edit

This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.

Rule type: new_terms

Rule indices:

  • auditbeat-*
  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-59m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable:(
  (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
   /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*
  ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)
 ) and
source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
not process.name:(
 apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or
 saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*
) and
not destination.ip:(
   10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or
   192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or
   192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or
   198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8"
)

Framework: MITRE ATT&CKTM