some system binaries may execute without arguments in rare legitimate scenarios (e.g., certain service launches), and initiate a network connection to microsoft servers for telemetry or update purposes. apply additional filters as needed. however, binaries such as `rundll32.exe` or `dllhost.exe` running with no command-line context are highly suspicious and warrant investigation.

Techniques

Sample rules

Cisco NVM - Suspicious Network Connection From Process With No Args

source: splunk
technicques:
- T1055
- T1218

Description

This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. Binaries such as rundll32.exe, regsvr32.exe, dllhost.exe, svchost.exe, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution. When these processes are seen initiating a network connection with an empty or missing command line, it can indicate potential injection and communication with a command and control server.

Detection logic

`cisco_network_visibility_module_flowdata`
process_name IN (
  "backgroundtaskhost.exe", "svchost.exe", "dllhost.exe", "werfault.exe",
  "searchprotocolhost.exe", "wuauclt.exe", "spoolsv.exe", "rundll32.exe",
  "regasm.exe", "regsvr32.exe", "regsvcs.exe"
)
NOT process_arguments="*"
NOT dest IN (
        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
        )

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___suspicious_network_connection_from_process_with_no_args_filter`