Event ID 3 — Network connection
Description
The network connection event logs TCP/UDP connections on the machine.
Message #
Fields #
| Name | Description |
|---|---|
RuleName UnicodeString → string | Custom tag mapped to event, i.e. ATT&CK technique ID |
UtcTime UnicodeString → string | Time in UTC when event was created |
ProcessGuid GUID → GUID | Process GUID of the process that made the network connection |
ProcessId UInt32 → PID | Process ID used by the OS to identify the process that made the network connection |
Image UnicodeString → string | File path of the process that made the network connection |
User UnicodeString → string | Name of the account who made the network connection. It usually contains domain name and user name |
Protocol UnicodeString → string | Protocol being used for the network connection Known values
|
Initiated Boolean → boolean | Indicates whether the process initiated the TCP connection |
SourceIsIpv6 Boolean → boolean | Is the source IP an IPv6 |
SourceIp UnicodeString → string | Source IP address that made the network connection |
SourceHostname UnicodeString → string | Name of the host that made the network connection |
SourcePort UInt16 → unsignedShort | Source port number |
SourcePortName UnicodeString → string | Name of the source port being used (i.e. netbios-dgm) |
DestinationIsIpv6 Boolean → boolean | Is the destination IP an IPv6 |
DestinationIp UnicodeString → string | Destination IP address |
DestinationHostname UnicodeString → string | Name of the host that received the network connection |
DestinationPort UInt16 → unsignedShort | Destination port number |
DestinationPortName UnicodeString → string | Name of the destination port |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Sysmon",
"guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"event_source_name": "",
"event_id": 3,
"version": 5,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:03:45.514949+00:00",
"event_record_id": 1437449,
"correlation": {},
"execution": {
"process_id": 7064,
"thread_id": 10068
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RuleName": "-",
"UtcTime": "2023-11-06 02:03:43.450",
"ProcessGuid": "E56ADA26-45B9-6548-970A-000000000D00",
"ProcessId": 13296,
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"User": "WINDEV2310EVAL\\User",
"Protocol": "udp",
"Initiated": true,
"SourceIsIpv6": false,
"SourceIp": "192.168.92.128",
"SourceHostname": "-",
"SourcePort": 60161,
"SourcePortName": "-",
"DestinationIsIpv6": false,
"DestinationIp": "239.255.255.250",
"DestinationHostname": "-",
"DestinationPort": 1900,
"DestinationPortName": "-"
},
"message": ""
}
Detection Patterns #
No Command Line
6 rules
Splunk
Asim Network Session Schema
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.ANDEvent ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.ANDEvent ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.ANDEvent ID 5156: The Windows Filtering Platform has permitted a connection.ANDEvent ID 5157: The Windows Filtering Platform has blocked a connection.ANDEvent ID 5158: The Windows Filtering Platform has permitted a bind to a local port.ANDEvent ID 5159: The Windows Filtering Platform has blocked a bind to a local port.ANDSysmon Event ID 3: Network connection
5 rules
Kusto Query Language
Command & Control: Application Layer Protocol
Security-Auditing Event ID 5152: The Windows Filtering Platform blocked a packet.→Event ID 5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.→Event ID 5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.→Event ID 5156: The Windows Filtering Platform has permitted a connection.→Event ID 5157: The Windows Filtering Platform has blocked a connection.→Event ID 5158: The Windows Filtering Platform has permitted a bind to a local port.→Event ID 5159: The Windows Filtering Platform has blocked a bind to a local port.→Sysmon Event ID 3: Network connection
2 rules
Defender-DeviceNetworkEvents Event ID 9004001: Connection succeededORSecurity-Auditing Event ID 5156: The Windows Filtering Platform has permitted a connection.ORSysmon Event ID 3: Network connection
1 rule
Kusto Query Language
Collection: Data from Local System
1 rule
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Network Connection Initiated By AddinUtil.EXE source high: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
- Uncommon Connection to Active Directory Web Services source medium: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
- Uncommon Network Connection Initiated By Certutil.EXE source high: Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Show 17 more (51 total)
- Outbound Network Connection Initiated By Cmstp.EXE source high: Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
- Outbound Network Connection Initiated By Microsoft Dialer source high: Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
- Network Connection Initiated To AzureWebsites.NET By Non-Browser Process source medium: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
- Network Connection Initiated To BTunnels Domains source medium: Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Connection Initiated To Cloudflared Tunnels Domains source medium: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Network Communication With Crypto Mining Pool source high: Detects initiated network connections to crypto mining pools
- New Connection Initiated To Potential Dead Drop Resolver Domain source high: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
- Network Connection Initiated To DevTunnels Domain source medium: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
- Suspicious Dropbox API Usage source high: Detects an executable that isn't dropbox but communicates with the Dropbox API
- Suspicious Network Connection to IP Lookup Service APIs source medium: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
- Suspicious Non-Browser Network Communication With Google API source medium: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
- Communication To LocaltoNet Tunneling Service Initiated source high: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
- Network Connection Initiated To Mega.nz source low: Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
- Process Initiated Network Connection To Ngrok Domain source high: Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Communication To Ngrok Tunneling Service Initiated source high: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
- Potentially Suspicious Network Connection To Notion API source low: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
- Network Communication Initiated To Portmap.IO Domain source medium: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Splunk # view in reference
- Detect Regasm with Network Connection source: The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.
- Detect Regsvcs with Network Connection source: The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.
- LOLBAS With Network Traffic source: The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.
Show 6 more (9 total)
- Network Traffic to Active Directory Web Services Protocol source: The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.
- Windows Detect Network Scanner Behavior source: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
- Windows File Transfer Protocol In Non-Common Process Path source: The following analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like "Program Files" or "Windows\System32". This activity is significant as FTP is often used by adversaries and malware, such as AgentTesla, for Command and Control (C2) communications to exfiltrate stolen data. If confirmed malicious, this could lead to unauthorized data transfer, exposing sensitive information and compromising the integrity of the affected host.
- Windows Mail Protocol In Non-Common Process Path source: The following analytic detects a Windows application establishing an SMTP connection from a non-common installation path. It leverages Sysmon EventCode 3 to identify processes not typically associated with email clients (e.g., Thunderbird, Outlook) making SMTP connections. This activity is significant as adversaries, including malware like AgentTesla, use such connections for Command and Control (C2) communication to exfiltrate stolen data. If confirmed malicious, this behavior could lead to unauthorized data exfiltration, including sensitive information like desktop screenshots, browser data, and system details, compromising the affected host.
- Windows Suspect Process With Authentication Traffic source: The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
- Windows Remote Desktop Network Bruteforce Attempt source: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
Kusto Query Language # view in reference
- Zinc Actor IOCs files - October 2022 source high: 'Identifies a match across filename and commandline IOC's related to an actor tracked by Microsoft as Zinc. Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- OSSEM-DD https://github.com/OTRF/OSSEM-DD/blob/main/windows/sysmon/events/event-3.yml
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection