Query Details

IPv4 command detected in lolbin execution

LOL Bin Remote IP Command Line

Query

let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let LOLBins = dynamic(["AppInstaller.exe", "cmd.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]);
DeviceNetworkEvents
| where InitiatingProcessFileName in~ (LOLBins)
| extend CommandLineIP = extract(IPRegex, 0, InitiatingProcessCommandLine)
| where isnotempty(CommandLineIP)
// Optional filter to only filter for public ips.
//| where not(ipv4_is_private(RemoteIP))
| project-reorder Timestamp, InitiatingProcessCommandLine, RemoteIP, DeviceName

About this query

Explanation

This query is designed to detect potentially suspicious activities involving the execution of "Living Off The Land Binaries" (LOLBins) that reference remote IP addresses in their command lines. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify instances where certain system binaries (LOLBins) are used to execute commands that include references to remote IP addresses. This can indicate attempts to connect to external networks, which might be used for lateral movement or transferring files.

  2. Technique: It relates to the MITRE ATT&CK technique T1218, which involves using legitimate system binaries to execute malicious actions, making detection harder.

  3. Regex for IP Detection: The query uses a regular expression (IPRegex) to identify IPv4 addresses in the command lines of processes.

  4. List of LOLBins: A predefined list of known LOLBins is used to filter the processes. These are legitimate executables that can be misused for malicious purposes.

  5. Data Source: The query searches through DeviceNetworkEvents to find events where the initiating process is one of the listed LOLBins.

  6. Extracting IPs: It extracts any IP addresses found in the command line of these processes.

  7. Filtering: The query checks if the extracted IP address is not empty, indicating that a remote IP was indeed referenced.

  8. Output: The results are reordered to show the timestamp, the command line that was executed, the remote IP address, and the device name.

  9. Optional Filtering: There is an optional commented-out line that can be used to filter out private IP addresses, focusing only on public IPs.

This query helps security analysts identify potentially malicious activities by highlighting when system binaries are used in unexpected ways to interact with remote IPs.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 20, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsCommandLineRemoteIPNameTimeGeneratedInitiatingProcessFile

Operators

letdynamicin~extendextractwhereisnotemptyproject-reorder

MITRE Techniques

Actions

GitHub