Query Details

List oubound conhost connections

Outbound Conhost Connection

Query

let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))

About this query

List oubound conhost connections

Query Information

Description

List outbound conhost connections.

Risk

It is unexpected that conhost makes connections to external domains.

References

Defender XDR

Sentinel

let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))

Explanation

This query is designed to identify and list outbound network connections made by the process "conhost.exe" that are considered unusual or potentially suspicious. Here's a simple breakdown of what the query does:

  1. Target Process: It specifically looks for network events initiated by "conhost.exe", which is a Windows process typically used to host command-line interfaces.

  2. External Connections: The query filters out connections that are made to private IP addresses or the local loopback address (127.0.0.1), focusing only on connections to external IP addresses.

  3. Domain Filtering: It further narrows down the results by excluding connections to known valid domains, specifically those ending in ".microsoft.com" or ".digicert.com". These are considered safe and expected domains.

The purpose of this query is to detect unexpected or potentially malicious outbound connections made by "conhost.exe" to external domains that are not recognized as safe. This can help in identifying suspicious activities or potential security threats.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPUrlInitiatingProcessFileName

Operators

letdynamic=~wherenotipv4_is_private==has_any

Actions

GitHub