This note documents detection patterns related to Suspicious Outbound Connections within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 3 | Network connection | Critical | Primary host-level evidence for outbound connections. |
| Security | 5156 | Windows Filtering Platform allowed connection | Critical | Native network permit telemetry. |
| Sysmon | 1 | Process creation | Critical | Required to identify initiating process. |
| Security | 4688 | Process creation | High | Supports parent-child correlation. |
| Sysmon | 22 | DNS query | Critical | Resolves outbound destinations before connection. |
| PowerShell | 4104 | Script block logging | Critical | Captures script-based outbound activity. |
| Firewall Logs | N/A | Network egress record | High | Useful for destination validation. |
| EDR Telemetry | N/A | Process-network lineage | Critical | Highest-value full process-to-network mapping. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Rare external IP | Unusual destination not seen in baseline | Critical | Strong IOC candidate. |
| Process without network baseline | Binary normally offline starts outbound traffic | Critical | High anomaly value. |
| LOLBIN outbound | powershell, rundll32, certutil, mshta | Critical | Strong attacker pattern. |
| Post-execution beacon | Connection follows suspicious child process | Critical | Common C2 behavior. |
| DNS burst then connection | Multiple lookups before egress | High | Discovery / failover logic. |
| Temp binary connects out | AppData / Temp process egress | Critical | Strong malware indicator. |
| SYSTEM process outbound to rare host | Service context beacon | High | Important for persistence hunts. |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Web requests / beaconing |
| curl.exe | File transfer / beacon |
| certutil.exe | Download / callback |
| bitsadmin.exe | Background transfer |
| mshta.exe | Remote script retrieval |
| rundll32.exe | Network-enabled DLL execution |
| custom implant | C2 traffic |
| browser engine abuse | Hidden outbound retrieval |
Relevant Artifacts
- Sysmon Event IDs 3, 22, 1
- Security Event IDs 5156, 4688
- PowerShell 4104
- Firewall logs
- DNS cache
- Prefetch for initiating binary
- Amcache for executable
- ShimCache historical traces
- EDR network graph
- MFT / USN if payload preceded beacon
MITRE ATT&CK References
- T1071 Application Layer Protocol
- T1105 Ingress Tool Transfer
- T1041 Exfiltration Over C2 Channel
- T1571 Non-Standard Port
Decision Tree
-
Which process connected outbound?
- Image path
- Parent process
-
Destination trusted?
- Domain
- IP reputation
- ASN
-
Timing suspicious?
- Immediately after execution
- Repeating interval
- Delayed beacon
-
Port expected?
- 80/443
- Non-standard
- Rare service
-
Expand:
- DNS lookups
- Child processes
- Download / exfil chain
-
Scope:
- Single host
- Lateral beaconing
- Shared IOC
Example Detection Templates
KQL
Sysmon
| where EventID == 3
| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort, Protocol
Sysmon
| where EventID == 3
| where Image has_any ("powershell.exe","cmd.exe","rundll32.exe","certutil.exe","mshta.exe")
| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort
EQL
network where process.name in ("powershell.exe","rundll32.exe","certutil.exe","mshta.exe")
sequence by host.name with maxspan=5m
[ process where process.name != null ]
[ network where destination.ip != null ]
Sigma
title: Suspicious Outbound Connection
id: b5f9d117-outbound-detection
status: experimental
description: Detects suspicious outbound traffic from common attacker processes
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith:
- '\powershell.exe'
- '\rundll32.exe'
- '\certutil.exe'
- '\mshta.exe'
condition: selection
fields:
- Image
- DestinationIp
- DestinationPort
falsepositives:
- Administrative downloads
level: high
tags:
- attack.command_and_control
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Sysmon network logging | Enable Event 3 | Critical | Core outbound visibility |
| DNS logging | Retain resolution telemetry | Critical | Enables domain correlation |
| Egress filtering | Restrict outbound destinations | High | Reduces beacon success |
| LOLBIN monitoring | Alert on network-capable binaries | Critical | High attacker overlap |
| EDR lineage retention | Preserve network ancestry | Critical | Essential for triage |