Elastic Security Detection Rules

Suspicious Outbound Network Connection via Unsigned Binary

Last updated 12 days ago on 2026-01-30
Created 12 days ago on 2026-01-30

About

Detects the execution of an unsigned or untrusted binary followed by an outbound network connection to a raw IP address on a non-standard port. Many malicious payloads will connect directly to C2 or a payload server using non-standard ports.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Non-Standard Port (T1571)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*logs-endpoint.events.network-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by process.entity_id with maxspan=1m
  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and 
    (process.code_signature.trusted == false or process.code_signature.exists == false) and
    process.args_count == 1 and
    not process.executable like "/opt/homebrew/*"]
  [network where host.os.type == "macos" and event.type == "start" and 
    destination.domain == null and 
    not destination.port in (443, 80, 53, 22, 25, 587, 993, 465, 8080, 8200, 9200) and 
    destination.port < 49152 and
    not cidrmatch(destination.ip, "0.0.0.0", "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", 
                  "198.19.0.0/16", "192.18.0.0/15", "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", 
                  "169.254.0.0/16", "172.16.0.0/12", "192.0.2.0/24", "192.31.196.0/24", 
                  "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "100.64.0.0/10", 
                  "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
                  "::1", "FE80::/10", "FF00::/8")]

Install detection rules in Elastic Security

Detect Suspicious Outbound Network Connection via Unsigned Binary in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).