Techniques
Sample rules
Cisco NVM - Suspicious Network Connection From Process With No Args
- source: splunk
- technicques:
- T1055
- T1218
Description
This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
Binaries such as rundll32.exe
, regsvr32.exe
, dllhost.exe
, svchost.exe
, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution.
When these processes are seen initiating a network connection with an empty or missing command line, it can indicate
potential injection and communication with a command and control server.
Detection logic
`cisco_network_visibility_module_flowdata`
process_name IN (
"backgroundtaskhost.exe", "svchost.exe", "dllhost.exe", "werfault.exe",
"searchprotocolhost.exe", "wuauclt.exe", "spoolsv.exe", "rundll32.exe",
"regasm.exe", "regsvr32.exe", "regsvcs.exe"
)
NOT process_arguments="*"
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_from_process_with_no_args_filter`