sigma-rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"

[rule]
author = ["Elastic"]
description = """
Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
remote URL.
"""
false_positives = [
    """
    Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
    environment for network connections being made from the command prompt to determine any abnormal use of this tool.
    """,
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Command Prompt Network Connection"
risk_score = 21
rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"

query = '''
event.category:network and event.type:connection and
  process.name:cmd.exe and
  not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Ingress Tool Transfer"
reference = "https://attack.mitre.org/techniques/T1105/"


[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"