Cisco NVM - Non-Network Binary Making Network Connection

This analytic detects network connections initiated by binaries that are not typically associated with network communication, such as 'notepad.exe', 'calc.exe' or 'write.exe'. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.