The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Command Prompt Network Connection
editCommand Prompt Network Connection
editIdentifies cmd.exe
making a network connection. Adversaries can abuse
cmd.exe
to download or execute malware from a remote URL.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Potential false positives
editAdministrators may use the command prompt for regular administrative tasks. It’s important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
Rule query
editprocess.name:cmd.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command-Line Interface
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Remote File Copy
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/
Rule version history
edit- Version 2 (7.7.0 release)
-
Updated query, changed from:
process.name:cmd.exe and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:10.0.0.0/8 and not destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16