KQL Search

Query Details

HomeAI ToolsDevice Query

Monitoring Explorer Initiated External Traffic

Query

**[IA] - Monitoring Explorer-Initiated External Traffic**

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    |
| ---  | --- |
| T1105  |  Ingress Tool Transfer |

| Author | Sergio Albea (01/03/2026)   |
| ---  | --- |

**Description:** I was reading this article today on cybersecuritynews (🔗 ⬇️ ) about attackers abusing Windows File Explorer + WebDAV to deliver malware, and it made me think about how to monitor this threat.
The attack makes File Explorer connect to an external location that looks like a normal folder. From the user side nothing feels strange… but in reality explorer.exe is establishing an internet connection to attacker infrastructure.
As I usually say, it’s often better to focus on IOAs (how the activity happens) rather than only URLs or domains, because those are trivial for attackers to change. The behaviour is what tends to stay consistent.
The following KQL Query filter identify external connections initiated by Explorer + option to exclude False Positives based on URLs + option to specify connections to specific countries.

```
//Sergio Albea
DeviceNetworkEvents
| where Timestamp >= ago(1d)
| where InitiatingProcessFileName =~ "explorer.exe"
| where RemoteIPType == "Public"
| where not(RemoteUrl has_any (dynamic(['bing.com','assets.msn.com']))) 
| extend geo_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
//| where geo_ip !in ('','')
| summarize Connections=count(),make_set(RemoteUrl),make_set(RemoteIP) by DeviceName,DeviceId,InitiatingProcessFileName, geo_ip, Timestamp, ReportId
```

Explanation

This KQL (Kusto Query Language) query is designed to monitor and identify suspicious external network connections initiated by the Windows File Explorer (explorer.exe). Here's a simplified breakdown of what the query does:

  1. Data Source: It examines data from DeviceNetworkEvents, which logs network activity on devices.

  2. Time Frame: The query focuses on events from the past day (Timestamp >= ago(1d)).

  3. Process Filtering: It specifically looks for network connections initiated by explorer.exe, the Windows File Explorer process.

  4. Public IP Filtering: It filters for connections to public IP addresses (RemoteIPType == "Public"), which are typically external to the organization.

  5. Exclusion of Known URLs: The query excludes connections to certain known and benign URLs (bing.com and assets.msn.com) to reduce false positives.

  6. Geolocation: It extends the data with geolocation information (geo_ip) based on the remote IP address, identifying the country of the connection.

  7. Optional Country Filtering: There's an option (commented out) to exclude connections to specific countries, which can be customized as needed.

  8. Summarization: Finally, it summarizes the data by counting the number of connections and listing unique remote URLs and IPs, grouped by device details, process name, geolocation, timestamp, and report ID.

Overall, this query helps in detecting potentially malicious activity where the File Explorer is used to connect to external, possibly attacker-controlled, infrastructure. It focuses on the behavior of the process rather than specific URLs or domains, which can be easily changed by attackers.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 1, 2026

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampInitiatingProcessFileNameRemoteIPTypeRemoteUrlGeoIpConnectionsDeviceNameDeviceIdReportId

Operators

ago=~==nothas_anydynamicextendtostringgeo_info_from_ip_addresssummarizecountmake_setby

Actions