KQL Search

Query Details

Outbound Conhost Connection

Query

# List oubound conhost connections

## Query Information

#### Description
List outbound conhost connections.

#### Risk
It is unexpected that conhost makes connections to external domains.

#### References
- https://kqlquery.com/
- https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules
- example link 3

## Defender For Endpoint
```KQL
let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))
```
## Sentinel
```KQL
let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))
```

Explanation

This query is used to list outbound connections made by the conhost.exe process. It filters out connections to external domains that are not considered valid, such as ".microsoft.com" and ".digicert.com". The purpose of this query is to identify any unexpected connections made by conhost.exe.

Details

Bert-Jan Pals

Released: November 4, 2023

Tables

DeviceNetworkEvents

Keywords

Keywords:DeviceNetworkEvents,InitiatingProcessFileName,conhost.exe,ipv4_is_private,RemoteIP,RemoteUrl,ValidDomains

Operators

letdynamicDeviceNetworkEventswhere=~notipv4_is_privateor==has_any

KQL Search

Outbound Conhost Connection

Query

Explanation

Details

Actions