Query for Unusual Windows Network Activity
AID2201222121.YAML
#####aid_begin
#description: identifies the unusual windows network activity
#id: aid2201222121
#processtype: query
#category: network
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# invoke-bgnetstat
#notes: |-
# identifies windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. a process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.
#####aid_end
commands:
- Invoke-BGNetStat Last updated