Processes generating large outbound connections with disproportionate send/receive ratios, often to uncommon ports or hosts, potentially inserting meaningless data into protocol payloads.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Network Traffic Content (DC0085) | NSM:Flow | TCP/UDP |
| Field | Description |
|---|---|
| PayloadEntropyThreshold | Tunable threshold for Shannon entropy of network payloads. |
| TimeWindow | Duration of outbound data transfer to evaluate disproportionate upload size. |
| UserContext | Filter based on user accounts allowed to generate outbound traffic. |
Outbound traffic with anomalous payload sizes and patterns from non-networking processes, often observed via packet inspection or connection logs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve network tools |
| Network Traffic Content (DC0085) | NSM:Flow | TCP session tracking |
| Field | Description |
|---|---|
| EntropyScore | Adjust based on expected entropy of typical outbound data. |
| ProcessWhitelist | Exclude known good binaries that generate high network output. |
| DataRatioThreshold | Minimum ratio of bytes_sent to bytes_received. |
Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | macos:unifiedlog | connection attempts |
| Process Creation (DC0032) | macos:osquery | process_events |
| Network Traffic Content (DC0085) | NSM:Flow | session behavior |
| Field | Description |
|---|---|
| ParentProcessCheck | Allow filtering based on parent-child relationship for benign services. |
| HostWhitelist | Known legitimate C2-like patterns (e.g., Apple telemetry). |
Anomalous traffic from ESXi host management daemons (like hostd or vpxa) embedding non-standard payloads in management protocols (e.g., HTTPS) or beaconing behavior.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | esxi:vmkernel | Network activity |
| Network Connection Creation (DC0082) | esxi:hostd | System service interactions |
| Field | Description |
|---|---|
| TLSFingerprintMismatch | Detects mismatched TLS client behavior vs expected for hostd/vpxa. |
| UnusualDestinationPorts | Highlight traffic from ESXi hosts to uncommon ports outside vCenter ranges. |