Query Details

Device Network Events Suspicious Connection By COM Surrogate

Query

let query_frequency = 1h;
let query_period = 14d;
let executable_name = "dllhost.exe";
let _ExpectedDomainsRegex = strcat(@'(', strcat_array(dynamic([
    @"\.officeapps\.live\.com",
    @"officeclient\.microsoft\.com",
    @"ecs\.office\.com",
    @"clients\.config\.office\.net",
    @"config\.teams\.microsoft\.com",
    @"fp\.measure\.office\.com",
    @"fs\.microsoft\.com",
    @"settings\-win\.data\.microsoft\.com"
]), '|'), @')$');
let _PreviousDomains = toscalar(
    DeviceNetworkEvents
    | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
    | where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name)  and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
    | where isnotempty(RemoteUrl)
    | summarize make_set(RemoteUrl)
);
let _PreviousIPRanges = toscalar(
    union 
        (
        DeviceNetworkEvents
        | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
        | where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name)  and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
        | where isempty(RemoteUrl)
        ),
        (
        DeviceNetworkEvents
        | where ingestion_time() between (ago(query_period) .. ago(query_frequency))
        | where isnotempty(RemoteUrl) and RemoteUrl matches regex _ExpectedDomainsRegex
        )
    | distinct RemoteIP
    | summarize make_set(format_ipv4_mask(RemoteIP, 23))
);
DeviceNetworkEvents
| where ingestion_time() > ago(query_frequency)
| where (InitiatingProcessFileName has executable_name or InitiatingProcessVersionInfoOriginalFileName has executable_name)  and (RemoteIPType == "Public" or (isempty(RemoteIPType) and not(ipv4_is_private(RemoteIP))))
//| where isnotempty(InitiatingProcessAccountUpn) and RemoteUrl matches regex @"d\d[a-z0-9]{12}\.cloudfront.net"
| where not(RemoteUrl matches regex _ExpectedDomainsRegex or RemoteUrl in (_PreviousDomains) or ipv4_is_in_any_range(RemoteIP, _PreviousIPRanges))
| project
    TimeGenerated,
    DeviceName,
    LocalIP,
    InitiatingProcessAccountUpn,
    ActionType,
    InitiatingProcessId,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    Protocol,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    InitiatingProcessParentId,
    InitiatingProcessParentFileName

Explanation

This KQL (Kusto Query Language) query is designed to monitor network activity related to a specific executable, "dllhost.exe," over a recent period and identify any unusual or unexpected connections. Here's a simplified breakdown of what the query does:

  1. Setup Parameters:

    • query_frequency: The query looks at data from the past hour (1h).
    • query_period: It considers historical data from the past 14 days (14d).
    • executable_name: The executable of interest is "dllhost.exe".
  2. Define Expected Domains:

    • _ExpectedDomainsRegex: A regular expression is created to match a list of expected domain patterns related to Microsoft services (e.g., officeapps.live.com, officeclient.microsoft.com).
  3. Collect Historical Data:

    • _PreviousDomains: Collects a set of URLs that "dllhost.exe" connected to in the past 14 days, excluding private IPs and focusing on public IPs.
    • _PreviousIPRanges: Collects a set of IP ranges (in CIDR format) that were contacted without a URL or matched the expected domains.
  4. Current Activity Analysis:

    • The query examines network events from the past hour where "dllhost.exe" is the initiating process.
    • It filters out connections to expected domains or those previously seen in the last 14 days.
    • It focuses on public IPs, excluding private IPs.
  5. Output:

    • The query projects a list of network events that are potentially suspicious or unusual, including details like the time of the event, device name, local IP, user account, action type, process details, and connection specifics (e.g., remote URL, IP, port).

In summary, this query is used to detect potentially suspicious network activity by "dllhost.exe" that deviates from expected or previously observed patterns, helping to identify anomalies or potential security threats.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 4, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

letstrcatstrcat_arraydynamictoscalarbetweenagohasisemptynotipv4_is_privateisnotemptysummarizemake_setunionmatchesregexdistinctformat_ipv4_maskinipv4_is_in_any_rangeproject

Actions

GitHub