Query Details
C2intel Feedsdomain
Query
DeviceNetworkEvents
| where RemoteIPType == "Public"
| where InitiatingProcessVersionInfoProductName !in ("Sophos Anti-Virus","Google Chrome","Microsoft Edge","Firefox")
| where RemoteUrl has_any ((externaldata(domain: string, ioc: string) [@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/domainC2s-30day.csv"]
with (format=csv, ignoreFirstRecord=true) | where ioc contains_cs "C2 Domain" | distinct domain))
Explanation
This KQL (Kusto Query Language) query is designed to filter network events on devices based on specific criteria. Here's a simplified summary:
- Filter for Public IPs: It starts by selecting network events where the remote IP address is of type "Public".
- Exclude Certain Processes: It then excludes events initiated by specific software products, namely "Sophos Anti-Virus", "Google Chrome", "Microsoft Edge", and "Firefox".
- Match Against External Data: Finally, it checks if the remote URL in the network events matches any domain listed in an external CSV file (hosted on GitHub). This CSV file contains domains associated with Command and Control (C2) servers from the last 30 days.
In essence, the query identifies potentially suspicious network events involving public IPs, excluding common trusted software, and cross-references these events with known malicious domains.
Details
Ali Hussein
Released: September 13, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsRemoteIPTypeInitiatingProcessVersionInfoProductNameRemoteUrlExternaldataDomainIocFormatIgnoreFirstRecordDistinct
Operators
DeviceNetworkEvents|where==!inhas_anyexternaldatawithformatignoreFirstRecordcontains_csdistinct