Windows anomalous network activity

Goal

Detects network activity caused by processes that occur rarely compared to other processes, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Identifies OS processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity.

A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.

Characteristics

Name

Windows anomalous network activity

Type

Network

Data source

Windows Threat Hunting

Required fields

destinationAddress

hostName

processName

userName

action

PreviousLinux anomalous network activity NextWindows anomalous process all hosts

Last updated 3 months ago