heroui logo

Unusual Windows Network Activity

Elastic Detection Rules

View Source
Summary
This rule, titled 'Unusual Windows Network Activity', is designed to detect abnormal network activity from Windows processes that typically do not engage in network operations. The detection leverages a machine learning model integrated with Elastic's security framework, focusing on identifying potential command-and-control scenarios, lateral movements, persistence methods, or data exfiltration attempts. By analyzing network activity behavior in comparison to established baselines, unusual actions taken by processes can be flagged. This indicates a possible exploitation or injection, showcasing how a malicious actor may gain unauthorized access or control over the system. False positives may arise from newly installed or infrequent network-using applications; hence, a thorough investigation into the context of the alerts is crucial, examining aspects like IP addresses, user contexts, execution history, and parent processes.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Network Traffic
  • Service
Created: 2020-03-25