1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.",
6  "from": "now-9m",
7  "index": [
8    "logs-endpoint.events.*",
9    "winlogbeat-*",
10    "logs-windows.*"
11  ],
12  "language": "eql",
13  "license": "Elastic License v2",
14  "name": "Unusual Network Activity from a Windows System Binary",
15  "query": "sequence by process.entity_id with maxspan=5m\n  [process where event.type in (\"start\", \"process_started\") and\n\n     /* known applocker bypasses */\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n  [network where\n     (process.name : \"bginfo.exe\" or\n      process.name : \"cdb.exe\" or\n      process.name : \"control.exe\" or\n      process.name : \"cmstp.exe\" or\n      process.name : \"csi.exe\" or\n      process.name : \"dnx.exe\" or\n      process.name : \"fsi.exe\" or\n      process.name : \"ieexec.exe\" or\n      process.name : \"iexpress.exe\" or\n      process.name : \"installutil.exe\" or\n      process.name : \"Microsoft.Workflow.Compiler.exe\" or\n      process.name : \"MSBuild.exe\" or\n      process.name : \"msdt.exe\" or\n      process.name : \"mshta.exe\" or\n      process.name : \"msiexec.exe\" or\n      process.name : \"msxsl.exe\" or\n      process.name : \"odbcconf.exe\" or\n      process.name : \"rcsi.exe\" or\n      process.name : \"regsvr32.exe\" or\n      process.name : \"xwizard.exe\")]\n",
16  "risk_score": 21,
17  "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a",
18  "severity": "medium",
19  "tags": [
20    "Elastic",
21    "Host",
22    "Windows",
23    "Threat Detection",
24    "Defense Evasion"
25  ],
26  "threat": [
27    {
28      "framework": "MITRE ATT&CK",
29      "tactic": {
30        "id": "TA0005",
31        "name": "Defense Evasion",
32        "reference": "https://attack.mitre.org/tactics/TA0005/"
33      },
34      "technique": [
35        {
36          "id": "T1127",
37          "name": "Trusted Developer Utilities Proxy Execution",
38          "reference": "https://attack.mitre.org/techniques/T1127/"
39        }
40      ]
41    }
42  ],
43  "type": "eql",
44  "version": 2
45}
46