Cisco NVM - Suspicious Network Connection From Process With No Args

This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution. When these processes are seen initiating a network connection with an empty or missing command line, it can indicate potential injection and communication with a command and control server.