Rules Contributing to Suspicious Windows Network Connection Alert
The following rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Network Activity From MSBuild |
MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so. More details
Rule IDQuery{'selection': {'EventImage|endswith': '\\MSBuild.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
|
Network Activity From mshta |
Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection': {'EventImage|endswith': '\\mshta.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
|
Network Activity From msxsl |
Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection': {'EventImage|endswith': '\\msxsl.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
|
Network Activity From verclsid |
Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. More details
Rule IDQuery{'selection': {'EventImage|endswith': '\\verclsid.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
|
Unexpected Network Activity from Microsoft Tool |
A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity. More details
Rule IDQuery{'selection': {'EventImage|endswith': ['\\bginfo.exe', '\\rcsi.exe', '\\control.exe', '\\odbcconf.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
