Rules Contributing to Suspicious Windows Network Connection Alert

The following rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Network Activity From MSBuild

MSBuild is a powerful tool used to compile and package code. If the MSBuild utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables. Malicious executables can even run inside of MSBuild with little indication it is doing so.

Network Activity From mshta

Mshta is the Microsoft HTML Application Host and allows the execution of .hta files. If the mshta utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Network Activity From msxsl

Msxsl allows you to perform command line Extensible Stylesheet Language (XSL) transformations. If the msxsl utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Network Activity From verclsid

Verclsid allows you to validate shell extensions before they are instantiated by the Windows shell or Windows Explorer. If the verclsid utility is accessing network resources, it might be using code from a third party or even downloading malicious code or executables.

Unexpected Network Activity from Microsoft Tool

A Microsoft tool was executed with suspicious network connection activity. This could be an indication of malicious activity.