Enhancement Request: Correlate PowerShell Hidden Window Execution with Network Traffic for Accurate Internet Connection Detection #3608
Description
The current ESCU detection rule “PowerShell - Connect To Internet With Hidden Window” only detects PowerShell processes launched with the -WindowStyle Hidden flag but does not correlate with actual network activity. This results in potential false positives since a hidden PowerShell window does not guarantee an internet connection or data exfiltration attempt.
Describe the solution you'd like
Enhance the rule to correlate PowerShell process executions with external network traffic by joining the Endpoint.Processes and Network_Traffic data models on host and process_id. Additionally, exclude private IP address ranges to focus on suspicious outbound connections. This would confirm that a PowerShell process running with a hidden window is indeed making internet connections, improving detection accuracy.
Describe alternatives you've considered
One alternative is to rely solely on the current process metadata without network correlation, which leads to more false positives. Another is to expand the detection by including additional PowerShell stealth flags, but without network confirmation, the detection remains incomplete.
Additional context
I have created a revised SPL query implementing this correlation and filtering, which significantly improves the fidelity of the detection. The rule also maintains detection of the -WindowStyle Hidden flag in the PowerShell command line. Timing correlation and key fields like process_guid could be further optimized depending on data availability.
Revised SPL Query:
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where process_powershell
by host Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| drop_dm_object_name(Processes)
| join host firstTime lastTime process_id
[| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
from datamodel=Network_Traffic where index=sysmon NOT All_Traffic.dest IN ("192.168.0.0/16" , "172.16.0.0/12" , "10.0.0.0/8")
by host, All_Traffic.process_id, All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port
| drop_dm_object_name(Processes)
| table host firstTime lastTime process_id src dest dest_port]
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| stats count by host firstTime lastTime user parent_process_name src dest dest_port process
| where match(process,"(?i)[-|/|\–|\—|\―]w(indowstyle*)*\s+[^-]")
| powershell___connect_to_internet_with_hidden_window_filter