Skip to content

DC0082 Network Connection Creation

Item Value
ID DC0082
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
auditd:SYSCALL connect
auditd:SYSCALL execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline
auditd:SYSCALL connect/sendto
auditd:SYSCALL open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK
auditd:SYSCALL socket/connect with TLS context by unexpected process
auditd:SYSCALL socket/bind: New bind() to a previously closed port shortly after the sequence.
auditd:SYSCALL sendto/connect
auditd:SYSCALL outbound connections
auditd:SYSCALL socket/bind: Process binds to a new local port shortly after knock
auditd:SYSCALL socket/connect calls showing SSH processes forwarding arbitrary ports
auditd:SYSCALL openat,connect -k discovery
AWS:VPCFlowLogs Outbound connection to 169.254.169.254 from EC2 workload
AWS:VPCFlowLogs Large transfer volume (>20MB) from RDS IP range to external public IPs
AWS:VPCFlowLogs High outbound traffic from new region resource
AWS:VPCFlowLogs Outbound connections to port 22, 3389
AWS:VPCFlowLogs Traffic observed on mirror destination instance
cni:netflow outbound connection to internal or external APIs
ebpf:syscalls socket connect
esxi:esxupdate /var/log/esxupdate.log or /var/log/vmksummary.log
esxi:hostd System service interactions
esxi:hostd Service initiated connections
esxi:hostd Service-Based Network Connection
esxi:vmkernel protocol egress
esxi:vmkernel network activity
esxi:vmkernel None
esxi:vmkernel network session initiation with external HTTPS services
linux:osquery family=AF_PACKET or protocol raw; process name not in allowlist.
linux:syslog network
linux:syslog postfix/smtpd
linux:syslog New Wi-Fi connection established or repeated association failures
linux:syslog None
linux:Sysmon EventCode=3, 22
macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_CONNECT
macos:osquery process_events/socket_events
macos:osquery execution of trusted tools interacting with external endpoints
macos:osquery launchd or network_events
macos:osquery process_events + launchd
macos:osquery process_events, socket_events
macos:osquery CONNECT: Long-lived connections from remote-control parents to external IPs/domains
macos:osquery None
macos:unifiedlog connection attempts
macos:unifiedlog connection open
macos:unifiedlog network connection events
macos:unifiedlog First outbound connection from the same PID/user shortly after an inbound trigger.
macos:unifiedlog network sessions initiated by remote desktop apps
macos:unifiedlog Inbound connections to VNC/SSH ports
macos:unifiedlog network
macos:unifiedlog Outbound Traffic
macos:unifiedlog None
macos:unifiedlog networkd or socket
macos:unifiedlog log stream network activity
macos:unifiedlog Association and authentication events including failures and new SSIDs
Network Traffic None
networkdevice:Flow Traffic from mirrored interface to mirror target IP
networkdevice:syslog Dynamic route changes
NSM:Connections web domain alerts
NSM:Connections New outbound connection from Safari/Chrome/Firefox/Word
NSM:Connections Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports
NSM:Firewall Outbound Connections
NSM:Firewall proxy or TLS inspection logs
NSM:Flow New TCP/443 or TCP/80 to domain not previously seen for the user/host
NSM:Flow conn.log
NSM:Flow Outbound connection to .tunnels.api.visualstudio.com or .devtunnels.ms
NSM:Flow Connections to *.devtunnels.ms or tunnels.api.visualstudio.com
NSM:Flow HTTPs connection to tunnels.api.visualstudio.com
NSM:Flow Outbound or inbound TFTP file transfers of ROMMON or firmware binaries
NSM:Flow connection: TCP connections to ports 139/445 to multiple hosts
NSM:Flow connection: SMB connections to multiple internal hosts
NSM:Flow Outbound HTTP/S initiated by newly installed interpreter process
NSM:Flow outbound connections to RMM services or to unusual destination ports
NSM:Flow Multiple failed connections (conn_state=REJ/S0 or history has ‘R’) across distinct ports from the same src_ip followed by success to a specific port.
NSM:Flow Sequence of REJ/S0 then SF success from same src_ip within TimeWindow.
NSM:Flow Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow.
NSM:Flow Outbound traffic spike through formerly blocked ports/subnets following config change
NSM:Flow New egress to Internet by the same UID/host shortly after terminal exec
NSM:Flow connection: Inbound connections to SSH or VPN ports
NSM:Flow External access to container ports (2375, 6443)
NSM:Flow remote access
NSM:Flow Outbound Connections
NSM:Flow connection attempts
NSM:Flow High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs
NSM:Flow outbound connections from host during or immediately after image build
NSM:Flow new outbound connection from browser/office lineage
NSM:Flow new outbound connection from exploited lineage
NSM:Flow Multiple failed connections to closed ports (history contains ‘R’ or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock
NSM:Flow Closed-port hits followed by success from same src_ip
NSM:Flow Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock
NSM:Flow Unexpected inbound/outbound TFTP traffic for device image files
NSM:Flow Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services
snmp:access GETBULK/GETNEXT requests for OIDs associated with configuration parameters
WinEventLog:Microsoft-Windows-Bits-Client/Operational BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields
WinEventLog:Microsoft-Windows-WLAN-AutoConfig EventCode=8001, 8002, 8003
WinEventLog:Security EventCode=5156, 5157
WinEventLog:Sysmon EventCode=3, 22
WinEventLog:System EventCode=8001

Detection Strategy

ID Name Technique Detected
DET0210 Abuse of Domain Accounts T1078.002
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0397 Automated Exfiltration Detection Strategy T1020
DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic) T1219
DET0124 Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi T1132.001
DET0326 Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi T1132.002
DET0354 Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers T1133
DET0182 Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS T1135
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) T1127.001
DET0585 Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows) T1127.003
DET0197 Behavior-chain, platform-aware detection strategy for T1125 Video Capture T1125
DET0172 Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows) T1127
DET0018 Behavior-chain, platform-aware detection strategy for T1129 Shared Modules T1129
DET0400 Behavioral Detection of DNS Tunneling and Application Layer Abuse T1071.004
DET0499 Behavioral Detection of Fallback or Alternate C2 Channels T1008
DET0102 Behavioral Detection of Input Capture Across Platforms T1056
DET0357 Behavioral Detection of Internet Connection Discovery T1016.001
DET0002 Behavioral Detection of Publish/Subscribe Protocol Misuse for C2 T1071.005
DET0518 Behavioral Detection of T1498 – Network Denial of Service Across Platforms T1498
DET0384 Behavioral Detection of Unix Shell Execution T1059.004
DET0131 Behavioral Detection Strategy for Exfiltration Over Alternative Protocol T1048
DET0503 Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1048.001
DET0376 Behavioral Detection Strategy for Network Service Discovery Across Platforms T1046
DET0269 Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity T1021
DET0364 Behavioral Detection Strategy for WMI Execution Abuse on Windows T1047
DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) T1195.002
DET0488 Detect abuse of Trusted Relationships (third-party and delegated admin access) T1199
DET0098 Detect abuse of Windows BITS Jobs for download, execution and persistence T1197
DET0001 Detect Access to Cloud Instance Metadata API (IaaS) T1552.005
DET0307 Detect Access to Unsecured Credential Files Across Platforms T1552.001
DET0296 Detect Adversary-in-the-Middle via Network and Configuration Anomalies T1557
DET0387 Detect ARP Cache Poisoning Across Linux, Windows, and macOS T1557.002
DET0035 Detect Bidirectional Web Service C2 Channels via Process & Network Correlation T1102.002
DET0507 Detect browser session hijacking via privilege, handle access, and remote thread into browsers T1185
DET0028 Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes T1496.002
DET0060 Detect Ingress Tool Transfers via Behavioral Chain T1105
DET0047 Detect Local Email Collection via Outlook Data File Access and Command Line Tooling T1114.001
DET0561 Detect malicious IDE extension install/usage and IDE tunneling T1176.002
DET0228 Detect Multi-Stage Command and Control Channels T1104
DET0053 Detect Obfuscated C2 via Network Traffic Analysis T1001
DET0581 Detect One-Way Web Service Command Channels T1102.003
DET0048 Detect Remote Email Collection via Abnormal Login and Programmatic Access T1114.002
DET0069 Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network) T1200
DET0361 Detecting .NET COM Registration Abuse via Regsvcs/Regasm T1218.009
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) T1218.013
DET0025 Detecting Electron Application Abuse for Proxy Execution T1218.015
DET0011 Detecting Junk Data in C2 Channels via Behavioral Analysis T1001.001
DET0044 Detecting Malicious Browser Extensions Across Platforms T1176.001
DET0222 Detecting MMC (.msc) Proxy Execution and Malicious COM Activation T1218.014
DET0506 Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation T1218.005
DET0486 Detecting Odbcconf Proxy Execution of Malicious DLLs T1218.008
DET0470 Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation T1001.003
DET0528 Detecting Remote Script Proxy Execution via PubPrn.vbs T1216.001
DET0235 Detecting Steganographic Command and Control via File + Network Correlation T1001.002
DET0588 Detection fo Remote Service Session Hijacking for RDP. T1563.002
DET0247 Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS) T1535
DET0623 Detection of Adversary-in-the-Middle T1638
DET0700 Detection of Bidirectional Communication T1481.002
DET0554 Detection of Bluetooth-Based Data Exfiltration T1011.001
DET0444 Detection of Command and Control Over Application Layer Protocols T1071
DET0617 Detection of Dead Drop Resolver T1481.001
DET0782 Detection of Drive-by Compromise T0817
DET0077 Detection of Exfiltration Over Alternate Network Interfaces T1011
DET0512 Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002
DET0149 Detection of Exfiltration Over Unencrypted Non-C2 Protocol T1048.003
DET0416 Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP) T1071.002
DET0135 Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3) T1071.003
DET0092 Detection of Malicious or Unauthorized Software Extensions T1176
DET0328 Detection of Malicious Profile Installation via CMSTP.exe T1218.003
DET0158 Detection of Msiexec Abuse for Local, Network, and DLL Execution T1218.007
DET0457 Detection of Non-Application Layer Protocols for C2 T1095
DET0610 Detection of One-Way Communication T1481.003
DET0081 Detection of Proxy Execution via Trusted Signed Binaries Across Platforms T1218
DET0445 Detection of Proxy Infrastructure Setup and Traffic Bridging T1090
DET0079 Detection of Remote Service Session Hijacking T1563
DET0804 Detection of Remote Services T0886
DET0898 Detection of Spoofed User-Agent T1036.012
DET0342 Detection of Suspicious Compiled HTML File Execution via hh.exe T1218.001
DET0791 Detection of User Execution T0863
DET0027 Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets T1071.001
DET0672 Detection of Web Service T1481
DET0459 Detection Strategy for Build Image on Host T1612
DET0501 Detection Strategy for Compile After Delivery - Source Code to Executable Transformation T1027.004
DET0108 Detection Strategy for Data Encoding in C2 Channels T1132
DET0592 Detection Strategy for Data from Configuration Repository on Network Devices T1602
DET0213 Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration T1030
DET0039 Detection Strategy for Dynamic Resolution across OS Platforms T1568
DET0262 Detection Strategy for Dynamic Resolution through DNS Calculation T1568.003
DET0419 Detection Strategy for Dynamic Resolution using Domain Generation Algorithms. T1568.002
DET0485 Detection Strategy for Dynamic Resolution using Fast Flux DNS T1568.001
DET0273 Detection Strategy for Encrypted Channel across OS Platforms T1573
DET0543 Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms T1573.002
DET0143 Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms T1573.001
DET0173 Detection Strategy for Endpoint DoS via Service Exhaustion Flood T1499.002
DET0348 Detection Strategy for Exfiltration Over C2 Channel T1041
DET0548 Detection Strategy for Exfiltration Over Web Service T1567
DET0153 Detection Strategy for Exfiltration Over Webhook T1567.004
DET0570 Detection Strategy for Exfiltration to Cloud Storage T1567.002
DET0318 Detection Strategy for Exfiltration to Code Repository T1567.001
DET0284 Detection Strategy for Exfiltration to Text Storage Sites T1567.003
DET0171 Detection Strategy for Forged Web Cookies T1606.001
DET0411 Detection Strategy for Hide Infrastructure T1665
DET0405 Detection Strategy for LNK Icon Smuggling T1027.012
DET0233 Detection Strategy for Network Device Configuration Dump via Config Repositories T1602.002
DET0227 Detection Strategy for Non-Standard Ports T1571
DET0538 Detection Strategy for Protocol Tunneling accross OS platforms. T1572
DET0408 Detection Strategy for Reflection Amplification DoS (T1498.002) T1498.002
DET0574 Detection Strategy for Remote System Enumeration Behavior T1018
DET0399 Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns T1029
DET0453 Detection Strategy for SNMP (MIB Dump) on Network Devices T1602.001
DET0236 Detection Strategy for Spearphishing Attachment across OS Platforms T1566.001
DET0107 Detection Strategy for Spearphishing Links T1566.002
DET0115 Detection Strategy for Spearphishing via a Service across OS Platforms T1566.003
DET0256 Detection Strategy for SSH Session Hijacking T1563.001
DET0119 Detection Strategy for Steganographic Abuse in File & Script Execution T1027.003
DET0510 Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior T1027.017
DET0282 Detection Strategy for System Binary Proxy Execution: Regsvr32 T1218.010
DET0421 Detection Strategy for System Services Service Execution T1569.002
DET0475 Detection Strategy for T1218.011 Rundll32 Abuse T1218.011
DET0042 Detection Strategy for T1218.012 Verclsid Abuse T1218.012
DET0175 Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit T1542.004
DET0582 Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot T1542.005
DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows) T1550.002
DET0403 Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices T1020.001
DET0058 Detection Strategy for Web Service: Dead Drop Resolver T1102.001
DET0536 Detection Strategy for Wi-Fi Networks T1669
DET0254 Detection Strategy of Transmitted Data Manipulation T1565.002
DET0343 Direct Network Flood Detection across IaaS, Linux, Windows, and macOS T1498.001
DET0196 Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers T1090.004
DET0176 Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) T1189
DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior T1114
DET0087 Encrypted or Encoded File Payload Detection Strategy T1027.013
DET0474 Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy T1480.001
DET0080 Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress) T1190
DET0287 Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps) T1203
DET0118 Exploitation of Remote Services – multi-platform lateral movement detection T1210
DET0325 External Proxy Behavior via Outbound Relay to Intermediate Infrastructure T1090.002
DET0133 IDE Tunneling Detection via Process, File, and Network Behaviors T1219.001
DET0200 Indirect Command Execution – Windows utility abuse behavior chain T1202
DET0075 Internal Proxy Behavior via Lateral Host-to-Host C2 Relay T1090.001
DET0285 Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution T1021.003
DET0530 Multi-Event Detection for SMB Admin Share Lateral Movement T1021.002
DET0327 Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity T1021.001
DET0359 Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling T1090.003
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking T1496.001
DET0562 Multi-Platform Execution Guardrails Environmental Validation Detection Strategy T1480
DET0302 Port-knock → rule/daemon change → first successful connect (T1205.001) T1205.001
DET0259 Remote Desktop Software Execution and Beaconing Detection T1219.002
DET0267 Resource Hijacking Detection Strategy T1496
DET0162 Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002) T1205.002
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) T1213.006
DET0425 Suspicious Use of Web Services for C2 T1102
DET0566 Template Injection Detection - Windows T1221
DET0524 Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205 T1205
DET0306 Unauthorized Network Firewall Rule Modification (T1562.013) T1562.013
DET0340 User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004 T1204.004
DET0066 User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity) T1204.001
DET0478 User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) T1204
DET0252 User-Initiated Malicious Library Installation via Package Manager (T1204.005) T1204.005