KQL Search

Query Details

HomeAI ToolsDevice Query

Device Network Events Suspicious Connection By COM Surrogate

Query

let query_frequency = 1h;
let query_period = 14d;
let _ExpectedDomainsRegex = strcat(@'(', strcat_array(dynamic([
    @"\.officeapps\.live\.com",
    @"officeclient\.microsoft\.com"
]), '|'), @')$');
let _PreviousDomains = toscalar(
    DeviceNetworkEvents
    | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
    | where InitiatingProcessFileName has "dllhost.exe" and RemoteIPType == "Public"
    | where isnotempty(RemoteUrl)
    | summarize make_set(RemoteUrl)
);
let _PreviousIPRanges = toscalar(
    DeviceNetworkEvents
    | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
    | where InitiatingProcessFileName has "dllhost.exe" and RemoteIPType == "Public"
    | where isempty(RemoteUrl)
    | summarize make_set(format_ipv4_mask(RemoteIP, 23))
);
DeviceNetworkEvents
| where ingestion_time() > ago(query_frequency)
| where InitiatingProcessFileName has "dllhost.exe" and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
//| where isnotempty(InitiatingProcessAccountUpn) and RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"
| where not(RemoteUrl matches regex _ExpectedDomainsRegex or RemoteUrl in (_PreviousDomains) or ipv4_is_in_any_range(RemoteIP, _PreviousIPRanges))
| project
    TimeGenerated,
    DeviceName,
    LocalIP,
    InitiatingProcessAccountUpn,
    ActionType,
    InitiatingProcessId,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    Protocol,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    InitiatingProcessParentId,
    InitiatingProcessParentFileName

Explanation

This query looks for network events involving the "dllhost.exe" process with public remote IP addresses. It filters out events with specific domains, IP ranges, and previous URLs to identify potentially suspicious activity. The results include details like time, device name, IP addresses, process information, and more for further analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 15, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents,InitiatingProcessFileName,RemoteIPType,RemoteUrl,RemoteIP,TimeGenerated,DeviceName,LocalIP,InitiatingProcessAccountUpn,ActionType,InitiatingProcessId,InitiatingProcessFolderPath,InitiatingProcessCommandLine,Protocol,RemotePort,InitiatingProcessParentId,InitiatingProcessParentFileName

Operators

| where| summarize| make_set| format_ipv4_mask| has| isnotempty| isempty| matches regex| in| not| ipv4_is_private| ipv4_is_in_any_range| project

Actions