sequence by process.entity_id with maxspan=5m
[process where host.os.type == "windows" and event.type == "start" and
/* known applocker bypasses */
(process.name : "bginfo.exe" or
process.name : "cdb.exe" or
process.name : "control.exe" or
process.name : "cmstp.exe" or
process.name : "csi.exe" or
process.name : "dnx.exe" or
process.name : "fsi.exe" or
process.name : "ieexec.exe" or
process.name : "iexpress.exe" or
process.name : "installutil.exe" or
process.name : "Microsoft.Workflow.Compiler.exe" or
process.name : "MSBuild.exe" or
process.name : "msdt.exe" or
process.name : "mshta.exe" or
process.name : "wscript.exe" or
process.name : "msiexec.exe" or
process.name : "msxsl.exe" or
process.name : "odbcconf.exe" or
process.name : "rcsi.exe" or
process.name : "regsvr32.exe" or
process.name : "xwizard.exe")]
[network where
(process.name : "bginfo.exe" or
process.name : "cdb.exe" or
process.name : "control.exe" or
process.name : "cmstp.exe" or
process.name : "csi.exe" or
process.name : "dnx.exe" or
process.name : "fsi.exe" or
process.name : "ieexec.exe" or
process.name : "iexpress.exe" or
process.name : "installutil.exe" or
process.name : "Microsoft.Workflow.Compiler.exe" or
(
process.name : "msbuild.exe" and
destination.ip != "127.0.0.1"
) or
process.name : "msdt.exe" or
process.name : "mshta.exe" or
(
process.name : "msiexec.exe" and not
dns.question.name : (
"ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
"ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
) and
/* Localhost, DigiCert and Comodo CA IP addresses */
not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32",
"152.195.38.76/32", "104.18.14.101/32")
) or
process.name : "msxsl.exe" or
process.name : "odbcconf.exe" or
process.name : "rcsi.exe" or
process.name : "regsvr32.exe" or
process.name : "xwizard.exe") and
not dns.question.name : ("localhost", "setup.officetimeline.com", "us.deployment.endpoint.ingress.rapid7.com",
"ctldl.windowsupdate.com", "crl?.digicert.com", "ocsp.digicert.com", "addon-cms-asl.eu.goskope.com", "crls.ssl.com",
"evcs-ocsp.ws.symantec.com", "s.symcd.com", "s?.symcb.com", "crl.verisign.com", "oneocsp.microsoft.com", "crl.verisign.com",
"aka.ms", "crl.comodoca.com", "acroipm2.adobe.com", "sv.symcd.com") and
/* host query itself */
not startswith~(dns.question.name, host.name)
]
Install detection rules in Elastic Security
Detect Unusual Network Activity from a Windows System Binary in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).