1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", 6 "from": "now-9m", 7 "index": [ 8 "logs-endpoint.events.*", 9 "winlogbeat-*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Unusual Network Activity from a Windows System Binary", 15 "query": "sequence by process.entity_id with maxspan=5m\n [process where event.type in (\"start\", \"process_started\") and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", 16 "risk_score": 21, 17 "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", 18 "severity": "medium", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Windows", 23 "Threat Detection", 24 "Defense Evasion" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0005", 31 "name": "Defense Evasion", 32 "reference": "https://attack.mitre.org/tactics/TA0005/" 33 }, 34 "technique": [ 35 { 36 "id": "T1127", 37 "name": "Trusted Developer Utilities Proxy Execution", 38 "reference": "https://attack.mitre.org/techniques/T1127/" 39 } 40 ] 41 } 42 ], 43 "type": "eql", 44 "version": 2 45} 46