Unusual process (e.g., rundll32, mshta, wscript, or custom payloads) initiates network connection to external IPs/domains that proxy C2 traffic, often over uncommon ports or high entropy HTTP/S connections.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Traffic Content (DC0085) | WinEventLog:Microsoft-Windows-Windows Defender/Operational | Unusual external domain access |
| Field | Description |
|---|---|
| DestinationASN | Adjust for known benign but high-risk infrastructure (e.g., hosting providers like DigitalOcean, OVH, etc.). |
| ParentProcess | Detect suspicious lineage—proxy tools launched from script interpreters or LOLBins. |
| EntropyThreshold | Tune based on expected randomness in outbound request payloads. |
curl, wget, ncat, socat, or custom binaries initiate outbound traffic to Internet-based proxies (e.g., via VPS or CDN). Behavior may include reverse shell constructs or persistent outbound beacons.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Traffic Content (DC0085) | NSM:Flow | conn.log or http.log |
| Network Traffic Flow (DC0078) | NSM:Flow | alert log |
| Field | Description |
|---|---|
| CommandLinePattern | Regex or command substring matches indicative of dynamic proxy setup. |
| ExternalIPList | Tunable list of IPs or ASNs related to known proxy/VPS abuse. |
| UserContext | Unexpected users running networking tools (e.g., www-data, apache). |
AppleScript or terminal sessions launch tools (curl, nc, ssh) to external IPs not commonly accessed. Outbound connections are made by LaunchAgents/LaunchDaemons, often masquerading as system services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process logs |
| Network Traffic Flow (DC0078) | NSM:Flow | pf firewall logs |
| Network Connection Creation (DC0082) | macos:osquery | launchd or network_events |
| Field | Description |
|---|---|
| LaunchAgentPath | Detect persistence used to restart proxy after reboot. |
| ExternalPort | Often high or non-standard ports, configurable for outbound proxy detection. |
| ProcessReputation | Flag unsigned or anomalous binaries making external connections. |
ESXi shell or guest VM tools initiate external connections via scripted traffic forwarding to Internet-based proxies. Detected by firewall or shell audit logs showing outbound connection spikes from hypervisor or guest VM to remote proxy nodes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | esxi:shell | None |
| Network Traffic Flow (DC0078) | esxi:vmkernel | None |
| Network Connection Creation (DC0082) | NSM:Flow | conn.log |
| Field | Description |
|---|---|
| VMOutboundPatterns | Detect when VMs communicate with Internet IPs not in workload profiles. |
| ProxyHostPattern | Regex for proxy-related tools/scripts executed on the host. |
| ConnectionDirectionality | Outbound only connections from ESXi to new IPs. |
Changes to NAT/firewall policies enabling outbound port forwarding from internal IPs to Internet-based proxy endpoints. Log spikes in outbound flows to CDN, VPS, or anomalous ASNs with few return packets.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | Firewall Audit Logs | Outbound NAT Rule Changes |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound flow records |
| Network Connection Creation (DC0082) | networkdevice:syslog | Dynamic route changes |
| Field | Description |
|---|---|
| FlowThreshold | Number of flows or bytes transferred per minute—flag surges to unrecognized ASNs. |
| DestinationIPCategory | Proxy destination categories: CDN, TOR exit node, anonymous hosting. |
| ConfigChangeUser | Track if unexpected user or automation changed NAT/forwarding rules. |