Suspicious Network Activity to the Internet by Previously Unknown Executable

edit

Suspicious Network Activity to the Internet by Previously Unknown Executable

edit

This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.

Rule type: new_terms

Rule indices:

  • auditbeat-*
  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-59m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Data Source: Elastic Endgame

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
host.os.type:linux and event.category:network and
event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable : (
    (/etc/crontab or
     /etc/rc.local or
     /boot/* or
     /dev/shm/* or
     /etc/cron.*/* or
     /etc/init.d/* or
     /etc/rc*.d/* or
     /etc/update-motd.d/* or
     /home/*/.* or
     /run/* or
     /srv/* or
     /tmp/* or
     /usr/lib/update-notifier/* or
     /var/tmp/*) and
     not (/usr/bin/apt or
          /usr/bin/curl or
          /usr/bin/dnf or
          /usr/bin/dockerd or
          /usr/bin/dpkg or
          /usr/bin/rpm or
          /usr/bin/wget or
          /usr/bin/yum)
    )
and source.ip : (
    10.0.0.0/8 or
    127.0.0.0/8 or
    172.16.0.0/12 or
    192.168.0.0/16) and
    not destination.ip : (
        10.0.0.0/8 or
        100.64.0.0/10 or
        127.0.0.0/8 or
        169.254.0.0/16 or
        172.16.0.0/12 or
        192.0.0.0/24 or
        192.0.0.0/29 or
        192.0.0.10/32 or
        192.0.0.170/32 or
        192.0.0.171/32 or
        192.0.0.8/32 or
        192.0.0.9/32 or
        192.0.2.0/24 or
        192.168.0.0/16 or
        192.175.48.0/24 or
        192.31.196.0/24 or
        192.52.193.0/24 or
        192.88.99.0/24 or
        198.18.0.0/15 or
        198.51.100.0/24 or
        203.0.113.0/24 or
        224.0.0.0/4 or
        240.0.0.0/4 or
        "::1" or
        "FE80::/10" or
        "FF00::/8")

Framework: MITRE ATT&CKTM