Processes invoking network-intensive child processes or uploading large data volumes, often from non-standard user or system contexts, with evidence of long-duration TCP/UDP sessions to unusual destinations.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Bandwidth anomalies should be assessed over 5-15 min or hourly windows depending on environment size. |
| DestinationCountry | Some organizations whitelist traffic to countries based on geolocation. |
| ProcessName | Legitimate processes using high bandwidth (e.g., backup tools) must be excluded. |
User-initiated processes generating sustained outbound traffic over common or non-standard ports, often outside business hours, potentially linked to scanning or proxyjacking. Includes curl, wget, masscan, or proxy clients.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve calls with high-frequency or known bandwidth-intensive tools |
| Network Traffic Flow (DC0078) | NSM:Flow | large outbound data flows or long-duration connections |
| Field | Description |
|---|---|
| ToolPattern | Can be tuned for specific bandwidth abuse tools (e.g., proxychains, 3proxy). |
| TrafficRateThreshold | Baseline deviation thresholds must be environment-specific. |
Suspicious long-lived or high-throughput connections by non-Apple signed apps or processes not commonly associated with network uploads. Detect background processes using open sockets for data egress.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | process + network metrics correlation for bandwidth saturation |
| Process Creation (DC0032) | macos:unifiedlog | exec or spawn calls to proxy tools or torrent clients |
| Field | Description |
|---|---|
| ProcessSignedStatus | Non-signed or non-Apple signed binaries can raise confidence levels. |
| DataRateThreshold | Observed data rate per process over time (e.g., MB/s). |
Containerized apps or sidecar containers generating excessive outbound traffic or being leveraged for proxy networks. Includes sudden increases in network interface stats, especially in dormant or low-util apps.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | containers:osquery | bandwidth-intensive command execution from within a container namespace |
| Network Traffic Content (DC0085) | docker:stats | unusual network TX/RX byte deltas |
| Field | Description |
|---|---|
| ContainerBaselineNetworkUsage | Baseline per container must be defined by app purpose and normal traffic. |
| ImageName | Certain image names or registries may be prone to abuse (e.g., public image hosting mining or proxyware). |
Virtual instances or workloads generating sustained outbound data rates, often to TOR, VPN, or proxy endpoints. Often coincides with unusual IAM usage or deployed scripts (e.g., cron jobs using proxy clients).
| Data Component | Name | Channel |
|---|---|---|
| Instance Start (DC0080) | AWS:CloudTrail | StartInstances |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | egress > 90th percentile or frequent connection reuse |
| Field | Description |
|---|---|
| InstanceType | High-throughput instance types are more likely to be targeted for hijacking. |
| TrafficEgressThreshold | Customize detection thresholds based on cloud provider quotas or billing alerts. |