Query Details

Rare or low-prevalent outgoing, successful IPv4 connections from non-browser processes

Rare Outgoing I Pv4 Connections

Query

// Author: Alex Teixeira ([email protected])
// Query walkthrough: https://ateixei.medium.com/f5bfdc0d55d6?source=friends_link&sk=7f5d56cf3a85c126992ce866dd864b86
let ExcludedNets = datatable(ExcludedNet: string) 
    ['100.0.0.0/16', '200.200.200.0/24']; 
search in (DeviceNetworkEvents) "tcp" and "connectionsuccess" and "public" 
// Set the time scope
| where Timestamp > ago(30d)
// For this initial hunt, focus on plain IPv4 target resources only, no URLs
| where isempty(RemoteUrl)
// Consume the list of CIDRs to exclude (consider doing it after summarize as well)
| evaluate ipv4_lookup(ExcludedNets, RemoteIP, ExcludedNet, return_unmatched = true)
| where isempty(ExcludedNet)
// What if a malicious process actually matches those?
// So be sure to cover that with other use cases.
| where not(InitiatingProcessFileName matches regex @'(?i)^(msedge|chrome|firefox)\.exe$')
| where (Protocol == "Tcp" and ActionType == "ConnectionSuccess" and RemoteIPType == "Public") and InitiatingProcessFileName endswith ".exe" and not(RemotePort in (80, 443)) 
// Lower-case the process name to keep unique entries in the output
| extend InitiatingProcessFileName=tolower(InitiatingProcessFileName)
| summarize
  Hashes=make_set(InitiatingProcessMD5),
  DeviceCount=count_distinct(DeviceId),
  SampleProcess=any(InitiatingProcessCommandLine),
  SampleRemoteIP=any(RemoteIP),
  Ports=make_set(RemotePort) by InitiatingProcessFileName
// To make it even more strict, decrease the number to narrow the results
| where DeviceCount < 4
| extend RemoteIP_country = tostring(parse_json(geo_info_from_ip_address(SampleRemoteIP)).country) 
| sort by DeviceCount asc

About this query

Explanation

This query is designed to identify unusual or rare outgoing network connections from non-browser processes on your network. Here's a simple breakdown of what the query does:

  1. Scope and Data Source: It searches through network event logs to find successful TCP connections to public IP addresses.

  2. Time Frame: The query focuses on events from the last 30 days.

  3. Filter Criteria:

    • It excludes connections to certain IP ranges (specified in ExcludedNets).
    • It ignores connections initiated by common web browsers like Edge, Chrome, and Firefox.
    • It only considers processes that are executable files (.exe) and excludes connections to standard web ports (80 and 443).
  4. Data Processing:

    • It converts process names to lowercase to ensure uniqueness.
    • It summarizes the data by counting how many different devices initiated these connections and collects various details like process hashes, command lines, remote IPs, and ports used.
  5. Result Filtering: The query only includes processes observed on fewer than four devices, highlighting rare or unusual activity.

  6. Output: It provides a list of processes with details about their network connections, sorted by the number of devices they were observed on, and includes the country of the remote IP address.

The goal is to detect potentially malicious activities, such as remote access tools (RATs) or command and control (C2) communications, by identifying uncommon network behaviors.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPProcessConnectionSuccessPublicIPv4TCPPortsCountry

Operators

letdatatablesearchinandwhereisemptyevaluateipv4_lookupnotmatches regexendswithextendtolowersummarizemake_setcount_distinctanybytostringparse_jsongeo_info_from_ip_addresssortascago

Actions

GitHub