Query Details

HTTP Traffic

Query

let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']);
DeviceNetworkEvents
| where ActionType == "NetworkSignatureInspected"
| extend
     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),
     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),
     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)
| where SignatureName == "HTTP_Client"
| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, " /", 0)[0])
| where HTTP_Request_Method == "GET"
| extend DownloadedContent = extract(@'.*/(.*)HTTP', 1, SignatureMatchedContent)
| extend DownloadContentFileExtention = extract(@'.*\.(.*)$', 1, DownloadedContent)
| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8
| where DownloadContentFileExtention has_any (ExecutableFileExtentions)
| project-reorder TimeGenerated, DeviceName, DownloadedContent, HTTP_Request_Method, RemoteIP

About this query

Explanation

This query is designed to help identify potentially malicious HTTP traffic by analyzing network events. Here's a simplified breakdown of each step:

Step 1: Summarize HTTP Methods Used

  • Objective: Understand the types of HTTP requests being made in your environment.
  • Action: The query looks at network events where HTTP traffic is inspected. It extracts the HTTP method (like GET, POST) from the traffic data and counts how often each method is used. This helps in understanding the behavior of network traffic.

Step 2: Investigate HTTP GET Requests

  • Objective: Focus on files downloaded via HTTP GET requests.
  • Action: The query filters for GET requests and extracts the file extensions of downloaded content. It then counts and sorts these extensions to identify what types of files are being downloaded. This can help spot unusual or potentially harmful downloads.

Step 3: Investigate Downloaded Executables

  • Objective: Identify potentially harmful executable files downloaded via HTTP.
  • Action: The query further filters the GET requests to focus on files with executable extensions (like .exe, .bat). It lists these files along with details like the device name and remote IP address. This step helps in pinpointing suspicious executable downloads.

Step 4: Perform File Analysis (MDE Only)

  • Objective: Analyze a specific suspicious file in more detail.
  • Action: If a suspicious file is identified, this step uses the file's name to gather more information, such as its prevalence globally, its digital signer, and any associated threat names. It also lists devices and locations where the file is found. This helps in assessing the risk and understanding the file's distribution.

Additional Note

  • If any malicious activities are detected, further investigation can be conducted using additional queries and resources, such as the DFIR Queries.

Overall, this query helps in detecting and analyzing potentially malicious HTTP traffic by examining network events and focusing on suspicious downloads, especially executable files.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEventsDeviceFileEvents

Keywords

DeviceNetworkEventsSignatureNameHTTPRequestMethodDownloadedContentFileExtensionExecutableExtensionsRemoteIPTimestampSHA1GlobalPrevalenceFirstSeenSignerThreatListLocations

Operators

whereextendtostringparse_jsonsplitsummarizebyextractisnotemptystring_sizehas_anyproject-reorderletdynamicarg_maxmake_setinvokeFileProfile

Actions

GitHub