You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/endpoint/windows_installutil_remote_network_connection.yml
+9-6Lines changed: 9 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
name: Windows InstallUtil Remote Network Connection
2
2
id: 4fbf9270-43da-11ec-9486-acde48001122
3
-
version: 11
3
+
version: 11
4
4
date: '2025-02-22'
5
5
author: Michael Haag, Splunk
6
6
status: production
@@ -24,14 +24,15 @@ search: |-
24
24
| `drop_dm_object_name(Processes)`
25
25
| `security_content_ctime(firstTime)`
26
26
| `security_content_ctime(lastTime)`
27
-
| join process_id
27
+
| join process_id dest
28
28
[| tstats `security_content_summariesonly`
29
29
count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port !=
30
-
0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port
30
+
0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.src
31
31
| `drop_dm_object_name(All_Traffic)`
32
-
| rename dest as C2 ]
33
-
| table _time user dest parent_process_name process_name process_path process process_id dest_port C2
34
-
| stats count min(_time) as firstTime max(_time) as lastTime values(process) as process values(C2) as command_and_control by user dest process_name process_id dest_port parent_process_name
32
+
| rename dest as command_and_control
33
+
| rename src as dest]
34
+
| table _time user src dest parent_process_name process_name process_path process process_id dest_port command_and_control
35
+
| stats count min(_time) as firstTime max(_time) as lastTime values(process) as process values(command_and_control) as command_and_control by user dest process_name process_id dest_port parent_process_name
0 commit comments