KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Uncommon Loaded Image Connection To Suspicious Domain

Query

let query_frequency = 1h;
let query_period = 14d;
let suspicious_domains = dynamic([
	@"d\d[a-z0-9]{12}\.cloudfront.net",
	@"[\-\w]+\-[a-f0-9]{3,5}\.kxcdn\.com",
	@"[\-\w]+\-[a-z0-9]{16}\.\w\d\d\.azurefd\.net",
    @"[\-\w]+\.[a-z0-9]+\.cloudapp\.azure\.com",
	@"portswigger\.net",
	@"oastify\.com",
	@"whatismyip\.com",
	@"whatismyip\.net",
	@"whatismyipaddress\.com"
]);
//let excluded_urls = dynamic(["uhf-exp-fd-gbcrdgggfbggh0g3.b02.azurefd.net"]);
DeviceNetworkEvents
| where Timestamp > ago(query_period)
| where RemoteUrl matches regex strcat_array(suspicious_domains, "|") // and not(InitiatingProcessAccountSid in ("S-1-5-18", "S-1-5-20"))
//| where not(RemoteUrl has_any (excluded_urls))
| where not(InitiatingProcessUniqueId == 0)
| project DeviceId, DeviceName, LocalIP, ActionType, RemoteIP, RemotePort, RemoteUrl, Protocol, InitiatingProcessUniqueId
| as _AuxiliarEvents
| join kind=inner (
    DeviceImageLoadEvents
    | where Timestamp > ago(query_period)
    | where not(InitiatingProcessUniqueId == 0) and (isnotempty(SHA1) or isnotempty(SHA256) or isnotempty(MD5)) and DeviceId in (toscalar(_AuxiliarEvents | summarize make_set(DeviceId)))
    | project-away DeviceName, ActionType
    ) on DeviceId, InitiatingProcessUniqueId
| project-away DeviceId1, InitiatingProcessUniqueId1
| summarize
    StartTime = arg_min(Timestamp, *),
    EndTime = max(Timestamp),
    DeviceNamesSample = array_sort_asc(make_set(DeviceName, 100)),
    RemoteUrlsSample = array_sort_asc(make_set(RemoteUrl, 100))
    by SHA1, SHA256, MD5
| where StartTime > ago(query_frequency)
| invoke FileProfile("SHA1", 1000)
| where not(GlobalPrevalence > 10000)
| where not(GlobalPrevalence > 1000 and GlobalFirstSeen < ago(query_frequency) and SignatureState == "SignedValid")
| project
    StartTime,
    EndTime,
    DeviceNamesSample,
    RemoteUrlsSample,
    Timestamp = StartTime,
    DeviceId,
    DeviceName,
    LocalIP,
    ActionType,
    RemoteIP,
    RemotePort,
    RemoteUrl,
    Protocol,
    FileName,
    FolderPath,
    SHA1,
    SHA256,
    MD5,
    FileSize,
    GlobalPrevalence,
    GlobalFirstSeen,
    GlobalLastSeen,
    SignatureState,
    InitiatingProcessAccountName,
    InitiatingProcessAccountSid,
    InitiatingProcessAccountUpn,
    InitiatingProcessAccountObjectId,
    InitiatingProcessFileName,
    InitiatingProcessFolderPath,
    InitiatingProcessCommandLine,
    InitiatingProcessCreationTime,
    IsInitiatingProcessRemoteSession,
    InitiatingProcessParentFileName,
    InitiatingProcessVersionInfoCompanyName,
    InitiatingProcessVersionInfoProductName,
    InitiatingProcessVersionInfoOriginalFileName,
    InitiatingProcessVersionInfoInternalFileName,
    InitiatingProcessVersionInfoFileDescription,
    InitiatingProcessVersionInfoProductVersion,
    InitiatingProcessUniqueId,
    ReportId

Explanation

This query is designed to identify potentially suspicious network activity on devices over the past 14 days, focusing on connections to certain domains that are considered suspicious. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • query_frequency: The frequency at which the query is intended to be run (every 1 hour).
    • query_period: The time period over which to look for events (14 days).
    • suspicious_domains: A list of domain patterns that are considered suspicious.

  2. Filter Network Events:

    • From the DeviceNetworkEvents table, select events where the Timestamp is within the last 14 days.
    • Filter events where the RemoteUrl matches any of the suspicious domain patterns.
    • Exclude events where the InitiatingProcessUniqueId is zero (indicating no initiating process).

  3. Join with Image Load Events:

    • Join the filtered network events with DeviceImageLoadEvents to find associated image loads on the same device and process.
    • Only include image load events with non-empty hash values (SHA1, SHA256, or MD5).

  4. Summarize Data:

    • Summarize the data to find the earliest and latest timestamps of the events, and create samples of device names and remote URLs involved.
    • Group the results by file hashes (SHA1, SHA256, MD5).

  5. Filter by File Prevalence:

    • Use the FileProfile function to get additional file information.
    • Exclude files with high global prevalence or those that are widely seen and have a valid signature.

  6. Project Final Results:

    • Select and organize various fields for the final output, including timestamps, device details, network details, file information, and process details.

Overall, this query helps in identifying and analyzing suspicious network activities related to specific domains, providing insights into potentially malicious files and processes involved in these activities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 11, 2026

Tables

DeviceNetworkEventsDeviceImageLoadEvents

Keywords

DeviceNetworkEventsDeviceImageLoadEventsFileProfile

Operators

letdynamicagomatches regexstrcat_arrayprojectasjoinkind=innerintoscalarsummarizemake_setproject-awayarg_minmaxarray_sort_ascinvokewherenotandisnotemptyproject

Actions