T1001.003

Protocol or Service Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By mimicking legitimate protocols or web services, adversaries make their C2 traffic blend in with normal network traffic. Techniques include FakeTLS (malformed TLS handshakes that mimic real TLS but use different encryption), custom HTTP header manipulation, URI endpoint spoofing, SSL certificate impersonation, and mimicking well-known services like Gmail or Google Drive. Real-world examples include Lazarus Group's FakeTLS, Cobalt Strike malleable C2 profiles, SUNBURST's OIP protocol masquerading, and Mustang Panda's PUBLOAD/StarProxy tools.

Microsoft Sentinel / Defender

kusto

let FakeTLSPorts = dynamic([443, 8443, 4443, 8080, 8888]);
let SuspiciousUserAgents = dynamic([
  "Mozilla/4.0", "Mozilla/3.0", "MSIE",
  "WinHttp", "curl/7.1", "Python/2", "Go-http-client/1.1"
]);
let KnownC2Headers = dynamic([
  "DSID", "X-Session-Id", "X-Request-Id",
  "Authorization: Basic", "Cookie: session=",
  "X-Forwarded-For"
]);
// Detection 1: TLS on non-standard ports (potential FakeTLS)
let FakeTLSBeacon = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (FakeTLSPorts)
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "teams.exe", "slack.exe", "zoom.exe", "outlook.exe", "onedrive.exe", "svchost.exe"))
| summarize ConnectionCount=count(), BytesSent=sum(SentBytes), BytesReceived=sum(ReceivedBytes),
            UniqueRemoteIPs=dcount(RemoteIP), Ports=make_set(RemotePort),
            FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| where ConnectionCount >= 3 or BytesSent > 50000
| extend BeaconInterval = datetime_diff('minute', LastSeen, FirstSeen)
| extend SuspicionReason = "TLS-port-non-browser-process";
// Detection 2: HTTP traffic mimicking known services with anomalous patterns
let AnomalousHTTP = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (80, 443, 8080, 8443)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ ("svchost.exe", "lsass.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe")
| summarize ConnectionCount=count(), UniqueRemoteIPs=dcount(RemoteIP),
            BytesSent=sum(SentBytes), BytesReceived=sum(ReceivedBytes),
            FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId
| where ConnectionCount >= 2
| extend SuspicionReason = "HTTP-from-suspicious-process";
// Detection 3: Beaconing pattern - regular interval connections
let BeaconingPattern = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "teams.exe", "slack.exe", "zoom.exe", "outlook.exe", "onedrive.exe", "svchost.exe", "MsMpEng.exe"))
| summarize ConnectionTimes=make_list(Timestamp), ConnectionCount=count(),
            UniqueRemoteIPs=dcount(RemoteIP), BytesSent=sum(SentBytes)
  by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| where ConnectionCount between (5 .. 200)
| extend TimeDiffs = series_subtract(array_slice(ConnectionTimes, 1, -1), array_slice(ConnectionTimes, 0, -2))
| extend AvgIntervalMs = todouble(array_sum(TimeDiffs)) / array_length(TimeDiffs)
| extend StdDevInterval = series_stats_dynamic(TimeDiffs)["stdev"]
| where AvgIntervalMs > 0 and todouble(StdDevInterval) / AvgIntervalMs < 0.30
| extend SuspicionReason = "regular-beaconing-interval";
// Union results
FakeTLSBeacon
| union AnomalousHTTP
| project Timestamp=FirstSeen, DeviceName, InitiatingProcessFileName,
          InitiatingProcessCommandLine, ConnectionCount, UniqueRemoteIPs,
          BytesSent, BytesReceived, SuspicionReason
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate monitoring agents (Datadog, SolarWinds, Nagios) that beacon on regular intervals to their management servers
Application performance monitoring tools making regular HTTP health checks from svchost-hosted services
Custom internal applications using non-standard TLS ports for internal API communications
Software update mechanisms in enterprise software (Java, Adobe, etc.) making regular check-in connections

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3)
NOT (Image IN ("*\\chrome.exe", "*\\firefox.exe", "*\\msedge.exe", "*\\iexplore.exe", "*\\teams.exe", "*\\slack.exe", "*\\zoom.exe", "*\\outlook.exe", "*\\onedrive.exe"))
NOT (DestinationIp IN ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*"))
| eval SuspiciousProcess=if(match(Image, "(svchost\.exe|lsass\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|msbuild\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|certutil\.exe|bitsadmin\.exe)"), 1, 0)
| eval FakeTLSPort=if(DestinationPort IN ("443", "8443", "4443", "8080", "8888") AND SuspiciousProcess=1, 1, 0)
| eval NonStandardPort=if(NOT DestinationPort IN ("80", "443", "8080", "8443", "25", "465", "587", "53", "123", "636", "389", "3389", "22"), 1, 0)
| eval SmallFixedPayload=if(isnotnull(RequestSizeBytes) AND RequestSizeBytes > 100 AND RequestSizeBytes < 2048, 1, 0)
| stats count as ConnectionCount,
        dc(DestinationIp) as UniqueRemoteIPs,
        values(DestinationPort) as Ports,
        sum(eval(if(isnotnull(RequestSizeBytes), RequestSizeBytes, 0))) as TotalBytesSent,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen,
        max(FakeTLSPort) as FakeTLSPortFlag,
        max(SuspiciousProcess) as SuspiciousProcessFlag,
        max(NonStandardPort) as NonStandardPortFlag
  by host, Image, DestinationIp
| where ConnectionCount >= 3
| eval DurationMinutes=round((LastSeen - FirstSeen) / 60, 1)
| eval AvgIntervalSeconds=if(ConnectionCount > 1, round((LastSeen - FirstSeen) / (ConnectionCount - 1), 1), null())
| eval SuspicionScore=FakeTLSPortFlag + SuspiciousProcessFlag + NonStandardPortFlag
| eval BeaconingLikely=if(AvgIntervalSeconds > 30 AND AvgIntervalSeconds < 3600 AND ConnectionCount >= 5, 1, 0)
| eval SuspicionScore=SuspicionScore + BeaconingLikely
| where SuspicionScore >= 1
| eval SuspicionDetail=case(
    FakeTLSPortFlag=1 AND SuspiciousProcessFlag=1, "FakeTLS-suspicious-process",
    SuspiciousProcessFlag=1 AND BeaconingLikely=1, "suspicious-process-beaconing",
    BeaconingLikely=1, "regular-beaconing-pattern",
    FakeTLSPortFlag=1, "TLS-port-non-browser",
    true(), "anomalous-outbound"
  )
| table FirstSeen, host, Image, DestinationIp, Ports, ConnectionCount, UniqueRemoteIPs, TotalBytesSent, AvgIntervalSeconds, DurationMinutes, SuspicionScore, SuspicionDetail
| sort - SuspicionScore, - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate monitoring agents (Datadog, SolarWinds, Nagios) that beacon regularly to their management servers
Application performance monitoring tools making regular HTTP health checks from svchost-hosted services
Custom internal applications using non-standard TLS ports for internal API communications
Software update mechanisms making regular check-in connections (Java, Adobe, corporate patching agents)

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=24h
  [network where event.type == "connection" and
   destination.port in (443, 8443, 4443, 8080, 8888) and
   not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*") and
   not process.name : ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "teams.exe", "slack.exe", "zoom.exe", "outlook.exe", "onedrive.exe") and
   process.name : ("svchost.exe", "lsass.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "certutil.exe", "bitsadmin.exe")]
  [network where event.type == "connection" and
   destination.port in (443, 8443, 4443, 8080, 8888) and
   not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")]
  [network where event.type == "connection" and
   destination.port in (443, 8443, 4443, 8080, 8888) and
   not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")]

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent with network monitoring

Required Tables

logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate software updaters using svchost.exe or rundll32.exe to check for updates over HTTPS may trigger this rule — verify against known software inventory and update schedules
Security scanning tools or EDR agents running as system processes may make multiple outbound HTTPS connections for telemetry or signature updates — whitelist by process hash or parent process
Custom enterprise applications built on .NET or WinHTTP that use generic process names like msbuild.exe as a host may legitimately connect to cloud APIs — validate against application deployment records

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  sourceip,
  destinationip,
  destinationport,
  username,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPEID(logsourceid) AS LogSourceType,
  COUNT(*) AS ConnectionCount,
  SUM(eventcount) AS TotalEvents,
  MIN(starttime) AS EarliestConnection,
  MAX(starttime) AS LatestConnection,
  ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) AS DurationMinutes,
  CASE
    WHEN destinationport IN (443, 8443, 4443) AND
         username ILIKE ANY ('%svchost%', '%rundll32%', '%regsvr32%', '%mshta%', '%wscript%', '%cscript%', '%msbuild%', '%installutil%', '%regasm%', '%certutil%', '%bitsadmin%')
      THEN 'FakeTLS-suspicious-process'
    WHEN COUNT(*) >= 5 AND
         ROUND((MAX(starttime) - MIN(starttime)) / (COUNT(*) - 1) / 1000.0, 1) BETWEEN 30 AND 3600
      THEN 'regular-beaconing-pattern'
    WHEN destinationport IN (443, 8443, 4443, 8080, 8888) AND
         username ILIKE ANY ('%svchost%', '%rundll32%', '%regsvr32%', '%mshta%', '%wscript%', '%cscript%', '%msbuild%', '%installutil%', '%regasm%', '%regsvcs%', '%certutil%', '%bitsadmin%')
      THEN 'TLS-port-suspicious-process'
    ELSE 'anomalous-outbound'
  END AS SuspicionDetail
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 73, 143, 161)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND destinationport IN (80, 443, 8080, 8443, 4443, 8888)
  AND NOT destinationip ILIKE '10.%'
  AND NOT destinationip ILIKE '192.168.%'
  AND NOT destinationip ILIKE '172.16.%'
  AND NOT destinationip ILIKE '172.17.%'
  AND NOT destinationip ILIKE '172.18.%'
  AND NOT destinationip ILIKE '172.19.%'
  AND NOT destinationip ILIKE '172.20.%'
  AND NOT destinationip ILIKE '172.21.%'
  AND NOT destinationip ILIKE '172.22.%'
  AND NOT destinationip ILIKE '172.23.%'
  AND NOT destinationip ILIKE '172.24.%'
  AND NOT destinationip ILIKE '172.25.%'
  AND NOT destinationip ILIKE '172.26.%'
  AND NOT destinationip ILIKE '172.27.%'
  AND NOT destinationip ILIKE '172.28.%'
  AND NOT destinationip ILIKE '172.29.%'
  AND NOT destinationip ILIKE '172.30.%'
  AND NOT destinationip ILIKE '172.31.%'
  AND NOT destinationip ILIKE '127.%'
  AND username NOT ILIKE '%chrome%'
  AND username NOT ILIKE '%firefox%'
  AND username NOT ILIKE '%msedge%'
  AND username NOT ILIKE '%teams%'
  AND username NOT ILIKE '%slack%'
  AND username NOT ILIKE '%zoom%'
  AND username NOT ILIKE '%outlook%'
GROUP BY sourceip, destinationip, destinationport, username
HAVING ConnectionCount >= 3
ORDER BY ConnectionCount DESC

high severity medium confidence

Data Sources

QRadar with Sysmon DSM Windows Security Event Log DSM Network flow data

Required Tables

events

False Positives

Enterprise patch management systems that use bitsadmin.exe or other system binaries to download updates over HTTPS will match on process name — cross-reference with WSUS or SCCM deployment windows
Software asset management tools that probe external inventory APIs from svchost-hosted DLL services will generate benign hits — validate connection destinations against known vendor IP ranges
Automated backup software or cloud sync agents running as Windows services under svchost.exe may make regular outbound HTTPS connections matching the beaconing interval threshold

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where %"EventCode" = "3" OR %"event_id" = "3" OR _sourcecategory matches "*sysmon*"
| parse regex field=Image "(?<ProcessName>[^\\\\]+)$" nodrop
| parse regex field=DestinationIp "(?<DestIP>\\d+\\.\\d+\\.\\d+\\.\\d+)" nodrop
| where !(DestinationIp matches "10.*") AND !(DestinationIp matches "192.168.*") AND !(DestinationIp matches "172.16.*") AND !(DestinationIp matches "172.17.*") AND !(DestinationIp matches "172.18.*") AND !(DestinationIp matches "172.19.*") AND !(DestinationIp matches "172.20.*") AND !(DestinationIp matches "172.21.*") AND !(DestinationIp matches "172.22.*") AND !(DestinationIp matches "172.23.*") AND !(DestinationIp matches "172.24.*") AND !(DestinationIp matches "172.25.*") AND !(DestinationIp matches "172.26.*") AND !(DestinationIp matches "172.27.*") AND !(DestinationIp matches "172.28.*") AND !(DestinationIp matches "172.29.*") AND !(DestinationIp matches "172.30.*") AND !(DestinationIp matches "172.31.*") AND !(DestinationIp matches "127.*")
| where !(ProcessName matches "chrome.exe") AND !(ProcessName matches "firefox.exe") AND !(ProcessName matches "msedge.exe") AND !(ProcessName matches "iexplore.exe") AND !(ProcessName matches "teams.exe") AND !(ProcessName matches "slack.exe") AND !(ProcessName matches "zoom.exe") AND !(ProcessName matches "outlook.exe") AND !(ProcessName matches "onedrive.exe")
| eval isSuspiciousProcess = if(ProcessName matches "svchost.exe" OR ProcessName matches "lsass.exe" OR ProcessName matches "rundll32.exe" OR ProcessName matches "regsvr32.exe" OR ProcessName matches "mshta.exe" OR ProcessName matches "wscript.exe" OR ProcessName matches "cscript.exe" OR ProcessName matches "msbuild.exe" OR ProcessName matches "installutil.exe" OR ProcessName matches "regasm.exe" OR ProcessName matches "regsvcs.exe" OR ProcessName matches "certutil.exe" OR ProcessName matches "bitsadmin.exe", 1, 0)
| eval isFakeTLSPort = if(DestinationPort in ("443", "8443", "4443", "8080", "8888") AND isSuspiciousProcess = 1, 1, 0)
| timeslice 24h
| stats count as ConnectionCount, dcount(DestinationIp) as UniqueRemoteIPs, max(isFakeTLSPort) as FakeTLSFlag, max(isSuspiciousProcess) as SuspiciousProcessFlag, min(_messageTime) as FirstSeen, max(_messageTime) as LastSeen by host, Image, DestinationIp, DestinationPort, _timeslice
| where ConnectionCount >= 3
| eval DurationMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| eval AvgIntervalSeconds = if(ConnectionCount > 1, round((LastSeen - FirstSeen) / 1000 / (ConnectionCount - 1), 1), null)
| eval BeaconingLikely = if(AvgIntervalSeconds > 30 AND AvgIntervalSeconds < 3600 AND ConnectionCount >= 5, 1, 0)
| eval SuspicionScore = FakeTLSFlag + SuspiciousProcessFlag + BeaconingLikely
| where SuspicionScore >= 1
| eval SuspicionDetail = if(FakeTLSFlag = 1 AND SuspiciousProcessFlag = 1, "FakeTLS-suspicious-process", if(SuspiciousProcessFlag = 1 AND BeaconingLikely = 1, "suspicious-process-beaconing", if(BeaconingLikely = 1, "regular-beaconing-pattern", if(FakeTLSFlag = 1, "TLS-port-non-browser", "anomalous-outbound"))))
| fields FirstSeen, host, Image, DestinationIp, DestinationPort, ConnectionCount, UniqueRemoteIPs, AvgIntervalSeconds, DurationMinutes, SuspicionScore, SuspicionDetail
| sort by SuspicionScore, ConnectionCount

high severity medium confidence

Data Sources

Sysmon via Sumo Logic Windows Collector Sumo Logic Cloud SIEM (CSE)

Required Tables

Sysmon EventCode 3 network connection events

False Positives

Windows Update or Microsoft telemetry processes hosted in svchost.exe making regular check-ins to Microsoft CDN endpoints will generate hits — validate destination IP ranges against Microsoft published IP lists
Corporate DLP or endpoint security software that uses rundll32.exe or similar host processes for its network agent component may make periodic outbound HTTPS connections to vendor cloud infrastructure
Developer tools like MSBuild used in CI/CD pipelines to download NuGet packages or communicate with artifact repositories over HTTPS will match on process name — correlate with build system schedules

Google Chronicle / SecOps

yaral

rule t1001_003_protocol_service_impersonation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects protocol or service impersonation (T1001.003) by identifying suspicious Windows processes making repeated outbound connections to TLS/HTTP ports used in FakeTLS and C2 beaconing. Covers Cobalt Strike malleable C2, SUNBURST-style masquerading, and FakeTLS C2 patterns."
    mitre_attack_tactic = "Command And Control"
    mitre_attack_technique = "T1001.003"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 8888)
    not $e.target.ip in cidr(
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/16",
      "127.0.0.0/8"
    )
    $e.principal.process.file.full_path != /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|teams\.exe|slack\.exe|zoom\.exe|outlook\.exe|onedrive\.exe)$/
    $e.principal.process.file.full_path = /(?i)(svchost\.exe|lsass\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|msbuild\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|certutil\.exe|bitsadmin\.exe)$/
    $hostname = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
    $dest_ip = $e.target.ip
    $dest_port = $e.target.port

  match:
    $hostname, $proc, $dest_ip, $dest_port over 24h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $unique_dest_ips = count_distinct($e.target.ip)
    $total_bytes_sent = sum($e.network.sent_bytes)
    $first_seen = min($e.metadata.event_timestamp.seconds)
    $last_seen = max($e.metadata.event_timestamp.seconds)
    $suspicion_detail = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 3
}

high severity medium confidence

Data Sources

Chronicle UDM with Windows Sysmon ingestion Google Chronicle network telemetry Endpoint Detection and Response (EDR) telemetry via Chronicle

Required Tables

UDM NETWORK_CONNECTION events with principal process context

False Positives

Windows processes that legitimately host third-party DLLs (svchost.exe hosting plugin DLLs for antivirus or monitoring software) may make outbound HTTPS connections matching the suspicious process criteria — validate by reviewing the hosting service name and DLL path
Scripting engines (wscript.exe, cscript.exe) used by legitimate administrative automation scripts for health checks or monitoring will generate connections to internal or cloud management endpoints — verify script origin and digital signature
certutil.exe used by administrators for legitimate certificate operations or PKI management that involves downloading CRL/OCSP data from public PKI infrastructure will trigger this rule — correlate with planned PKI maintenance windows

CrowdStrike LogScale (CQL)

cql

// T1001.003 - Protocol or Service Impersonation Detection
// Detect suspicious processes making repeated outbound connections to TLS/HTTP ports

// Part 1: FakeTLS - suspicious process connecting to TLS ports
#event_simpleName=NetworkConnectIP4
| RemotePort in [443, 8443, 4443, 8080, 8888]
| RemoteAddressIP4 != /^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|127\.)/
| ImageFileName =~ /(?i)(svchost\.exe|lsass\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|msbuild\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|certutil\.exe|bitsadmin\.exe)/
| ImageFileName !=~ /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|teams\.exe|slack\.exe|zoom\.exe|outlook\.exe|onedrive\.exe)/
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[
    count(aid, as=ConnectionCount),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    collect(CommandLine, limit=5, as=CommandLines)
  ])
| where ConnectionCount >= 3
| eval DurationMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| eval AvgIntervalSeconds = if(ConnectionCount > 1, round((LastSeen - FirstSeen) / 1000 / (ConnectionCount - 1), 1), null())
| eval BeaconingLikely = if(AvgIntervalSeconds > 30 AND AvgIntervalSeconds < 3600 AND ConnectionCount >= 5, "yes", "no")
| eval SuspicionDetail = "FakeTLS-suspicious-process"
| fields FirstSeen, ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, ConnectionCount, AvgIntervalSeconds, DurationMinutes, BeaconingLikely, SuspicionDetail, CommandLines
| sort(ConnectionCount, order=desc)

// Part 2: Beaconing pattern detection - any non-browser process with regular intervals
// Run separately or union with Part 1
// #event_simpleName=NetworkConnectIP4
// | RemoteAddressIP4 != /^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|127\.)/
// | ImageFileName !=~ /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|teams\.exe|slack\.exe|zoom\.exe|outlook\.exe|onedrive\.exe|MsMpEng\.exe)/
// | groupBy([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort], function=[
//     count(aid, as=ConnectionCount),
//     min(@timestamp, as=FirstSeen),
//     max(@timestamp, as=LastSeen)
//   ])
// | where ConnectionCount >= 5 AND ConnectionCount <= 200
// | eval AvgIntervalSeconds = round((LastSeen - FirstSeen) / 1000 / (ConnectionCount - 1), 1)
// | where AvgIntervalSeconds > 30 AND AvgIntervalSeconds < 3600
// | eval SuspicionDetail = "regular-beaconing-pattern"
// | sort(ConnectionCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor Falcon Data Replicator (FDR) CrowdStrike Humio/LogScale SIEM

Required Tables

NetworkConnectIP4 Falcon sensor events ProcessRollup2 for process context correlation

False Positives

Security operations tools like vulnerability scanners or asset discovery agents that run as system processes and probe external infrastructure over HTTPS will match on the suspicious process list — whitelist by device tag or host group in the CrowdStrike console
Windows-native backup and sync utilities that leverage rundll32.exe or regsvr32.exe to host backup agent DLLs will make periodic HTTPS connections to cloud storage endpoints matching the beaconing threshold — validate against backup software deployment records
Penetration testing or red team infrastructure on dedicated test systems will intentionally produce this activity — exclude test asset host groups from production alerting policies in Falcon

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1001.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Protocol or Service Impersonation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections