[metadata] creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" updated_date = "2020/09/02" [rule] author = ["Elastic"] description = """ Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*"] language = "eql" license = "Elastic License" name = "Unusual Network Activity from a Windows System Binary" risk_score = 21 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" tags = ["Elastic", "Windows"] type = "eql" query = ''' sequence by process.entity_id with maxspan=5m [process where event.type in ("start", "process_started") and /* known applocker bypasses */ process.name in ("bginfo.exe", "cdb.exe", "control.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "MSBuild.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe")] [network where event.type == "connection" and process.name in ("bginfo.exe", "cdb.exe", "control.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "MSBuild.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe")] ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1127" name = "Trusted Developer Utilities Proxy Execution" reference = "https://attack.mitre.org/techniques/T1127/" [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/"