Name:Cisco NVM - Non-Network Binary Making Network Connection id:c6db35af-8a0e-4b61-88ed-738e66f15715 version:1 date:2025-07-01 author:Nasreddine Bencherchali, Splunk status:production type:Anomaly Description:This analytic detects network connections initiated by binaries that are not typically associated with network communication,
such as 'notepad.exe', 'calc.exe' or 'write.exe'.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information.
These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.
Data_source:
-Cisco Network Visibility Module Flow Data
search:`cisco_network_visibility_module_flowdata` process_name IN ( "notepad.exe", "write.exe", "mspaint.exe", "calc.exe", "addinutil.exe", "cmstp.exe", "dialer.exe", "eqnedt32.exe", "IMEWDBLD.exe" ) NOT dest IN ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" ) | stats count min(_time) as firstTime max(_time) as lastTime values(parent_process_arguments) as parent_process_arguments values(process_arguments) as process_arguments values(parent_process_hash) as parent_process_hash values(process_hash) as process_hash values(module_name_list) as module_name_list values(module_hash_list) as module_hash_list values(dest_port) as dest_port values(aliul) as additional_logged_in_users_list values(dest_hostname) as dest_hostname by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash process_integrity_level process_path process_name process_arguments process_hash process_id additional_logged_in_users_list module_name_list module_hash_list src dest_hostname dest dest_port transport firstTime lastTime | `cisco_nvm___non_network_binary_making_network_connection_filter`
how_to_implement:This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named `cisco_network_visibility_module_flowdata`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
known_false_positives:Rare cases may exist where these binaries are used by plugins or third-party extensions to initiate outbound communication.
However, such behavior is extremely uncommon and should be investigated for potential injection or abuse.
References: -https://redcanary.com/threat-detection-report/techniques/process-injection/ -https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html drilldown_searches: name:'View the detection results for - "$src$"' search:'%original_detection_search% | search src = "$src$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Network Visibility Module Analytics' asset_type:Endpoint mitre_attack_id: - 'T1055' - 'T1036' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' security_domain:endpoint
