Query Details

Multiple Uncommon Loaded Image Connection To Suspicious Domain

Query

let query_frequency = 1h;
let query_period = 14d;
let suspicious_domains = dynamic([
	@"d\d[a-z0-9]{12}\.cloudfront.net",
	@"[\-\w]+\-[a-f0-9]{3,5}\.kxcdn\.com",
	@"[\-\w]+\-[a-z0-9]{16}\.\w\d\d\.azurefd\.net",
    @"[\-\w]+\.[a-z0-9]+\.cloudapp\.azure\.com",
	@"portswigger\.net",
	@"oastify\.com",
	@"whatismyip\.com",
	@"whatismyip\.net",
	@"whatismyipaddress\.com"
]);
//let excluded_urls = dynamic(["uhf-exp-fd-gbcrdgggfbggh0g3.b02.azurefd.net"]);
let excluded_company_names = dynamic([""]);
let excluded_original_names = dynamic([""]);
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex strcat_array(suspicious_domains, "|") // and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
//| where not(RemoteUrl has_any (excluded_urls))
| where not(InitiatingProcessUniqueId == 0)
| project DeviceId, DeviceName, LocalIP, ActionType, RemoteIP, RemotePort, RemoteUrl, Protocol, InitiatingProcessUniqueId
| as _AuxiliarEvents
| join kind=inner (
    DeviceImageLoadEvents
    | where Timestamp > ago(query_period)
    | where not(InitiatingProcessUniqueId == 0) and (isnotempty(SHA1) or isnotempty(SHA256) or isnotempty(MD5)) and DeviceId in (toscalar(_AuxiliarEvents | summarize make_set(DeviceId)))
    | project-away DeviceName, ActionType
    ) on DeviceId, InitiatingProcessUniqueId
| project-away DeviceId1, InitiatingProcessUniqueId1
| summarize
    StartTime = arg_min(Timestamp, *),
    EndTime = max(Timestamp),
    DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100)),
    RemoteUrlsSample = array_sort_asc(make_set(RemoteUrl, 100))
    by SHA1, SHA256, MD5
| where StartTime > ago(query_frequency)
| invoke FileProfile("SHA1", 1000)
| where not(GlobalPrevalence > 10000)
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_period))
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| where not(GlobalPrevalence > 500 and InitiatingProcessVersionInfoCompanyName in (excluded_company_names) and InitiatingProcessVersionInfoOriginalFileName in (excluded_original_names))
| project
    StartTime,
    EndTime,
    DeviceNamesSample,
    RemoteUrlsSample,
    Timestamp = StartTime,
    DeviceId,
    DeviceName,
    LocalIP,
    ActionType,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    Protocol,
    FileName,
    FolderPath,
    SHA1,
    SHA256,
    MD5,
    FileSize,
    GlobalPrevalence,
    GlobalFirstSeen,
    GlobalLastSeen,
    SignatureState,
    InitiatingProcessAccountName,
    InitiatingProcessAccountSid,
    InitiatingProcessAccountUpn,
    InitiatingProcessAccountObjectId,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    InitiatingProcessCreationTime,
    IsInitiatingProcessRemoteSession,
    InitiatingProcessParentFileName,
    InitiatingProcessVersionInfoCompanyName,
    InitiatingProcessVersionInfoProductName,
    InitiatingProcessVersionInfoOriginalFileName,
    InitiatingProcessVersionInfoInternalFileName,
    InitiatingProcessVersionInfoFileDescription,
    InitiatingProcessVersionInfoProductVersion,
    InitiatingProcessUniqueId,
    ReportId

Explanation

This query is designed to identify and analyze suspicious network activities on devices over a specified period. Here's a simplified breakdown of what the query does:

  1. Timeframe and Frequency: The query looks at network events from the past 14 days and is intended to be run every hour.

  2. Suspicious Domains: It defines a list of suspicious domain patterns and specific domains that are considered potentially harmful or indicative of malicious activity.

  3. Filtering Network Events:

    • It retrieves network events from devices that occurred in the last 14 days.
    • It filters these events to include only those where the remote URL matches any of the suspicious domain patterns.
    • It excludes events where the initiating process ID is zero, which typically indicates system processes.
  4. Joining with Image Load Events:

    • The query joins the filtered network events with image load events (related to files loaded into memory) on the same device and process ID.
    • It ensures that the image load events have valid hash values (SHA1, SHA256, or MD5).
  5. Summarizing Data:

    • It summarizes the data by calculating the start and end times of the events, and collects samples of device names and remote URLs associated with the suspicious activities.
    • The summary is grouped by file hashes (SHA1, SHA256, MD5).
  6. File Profiling and Filtering:

    • It profiles the files using their SHA1 hash to gather additional information.
    • It filters out files with high global prevalence (indicating they are common and likely not malicious) and applies additional conditions to exclude files based on their signature state and company information.
  7. Output:

    • The query projects a comprehensive set of details about the suspicious activities, including timestamps, device and network information, file details, and process information.

Overall, this query is used to detect and investigate potentially malicious network activities by correlating network events with file loads and applying various filters to focus on less common and potentially harmful activities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 17, 2026

Tables

DeviceNetworkEventsDeviceImageLoadEvents

Keywords

DeviceNetworkEventsDeviceImageLoadEventsFileProfile

Operators

letdynamicagomatches regexstrcat_arraynotintoscalarsummarizemake_setarray_sort_ascarg_minmaxinvokewhereprojectproject-awayjoinonbyas

Actions