← Library
splApache-2.0from splunk/security_content

Cisco NVM - Suspicious Network Connection From Process With No Args

This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution. When these processes are seen initiating a network connection with an empty or missing command line, it can indicate potential injection and communication with a command and control server.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml
`cisco_network_visibility_module_flowdata`
process_name IN (
  "backgroundtaskhost.exe", "svchost.exe", "dllhost.exe", "werfault.exe",
  "searchprotocolhost.exe", "wuauclt.exe", "spoolsv.exe", "rundll32.exe",
  "regasm.exe", "regsvr32.exe", "regsvcs.exe"
)
NOT process_arguments="*"
NOT dest IN (
        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
        )
| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_from_process_with_no_args_filter`