Suspicious Network Activity to the Internet by Previously Unknown Executable

Last updated a year ago on 2025-02-03

Created 3 years ago on 2023-06-14

About

This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic EndgameData Source: Elastic DefendLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

↳ Application Layer Protocol (T1071)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: auditbeat-*filebeat-*packetbeat-*logs-endpoint.events.*endgame-*
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and
process.executable : (
  /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or
  /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*
) and process.name : * and
not (
  process.executable : (
    /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or
    /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or
    /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*
  ) or
  source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or
  process.name : (
    apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or
    kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or
    php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http
  ) or
  destination.ip:(
    0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or
    192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or
    192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or
    198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8"
  )
)

Install detection rules in Elastic Security

Detect Suspicious Network Activity to the Internet by Previously Unknown Executable in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).