List oubound conhost connections
Outbound Conhost Connection
Query
let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))About this query
List oubound conhost connections
Query Information
Description
List outbound conhost connections.
Risk
It is unexpected that conhost makes connections to external domains.
References
Defender XDR
Sentinel
let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))
Explanation
This query is designed to identify and list outbound network connections made by the process "conhost.exe" that are considered unusual or potentially suspicious. Here's a simple breakdown of what the query does:
-
Target Process: It specifically looks for network events initiated by "conhost.exe", which is a Windows process typically used to host command-line interfaces.
-
External Connections: The query filters out connections that are made to private IP addresses or the local loopback address (127.0.0.1), focusing only on connections to external IP addresses.
-
Domain Filtering: It further narrows down the results by excluding connections to known valid domains, specifically those ending in ".microsoft.com" or ".digicert.com". These are considered safe and expected domains.
The purpose of this query is to detect unexpected or potentially malicious outbound connections made by "conhost.exe" to external domains that are not recognized as safe. This can help in identifying suspicious activities or potential security threats.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators