Query Details

Connections to commonly abused top level domains

Top Level Domains

Query

let abusedTLD = dynamic(["rest", "okinawa", "live", "beauty", "bar", "fit", "gq", "cfd", "zone", "top"]);
DeviceNetworkEvents
| where isnotempty(RemoteUrl)
| extend hasIPinRemoteUrl = iif(indexof_regex(RemoteUrl,@"\b(?:\d{1,3}\.){3}\d{1,3}\b") == -1,false, true)
| where hasIPinRemoteUrl==false
| extend TLD = tostring(split(extract(@"\.([a-zA-Z]{2,}|[a-zA-Z]{2}\.[a-zA-Z]{2})$",0,RemoteUrl,typeof(string)),".")[1])
| where TLD in~ (abusedTLD)
| extend Domain = replace_regex(tostring(extract(@"[^.]+\.[^.]+$",0,RemoteUrl)),"https://","")
| project TimeGenerated, DeviceName,ActionType,RemoteUrl, TLD,Domain, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName

About this query

Explanation

The query is used to find connections to commonly abused top-level domains. It includes different sections for different types of events, such as DeviceNetworkEvents, EmailUrlInfo, and UrlClickEvents. The query filters the events based on the presence of a remote URL and checks if the URL contains an IP address. It then extracts the top-level domain (TLD) from the URL and compares it to a list of commonly abused TLDs. The query also includes additional fields such as TimeGenerated, DeviceName, ActionType, RemoteIP, and more to provide more context about the connections.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

DeviceNetworkEvents EmailUrlInfo EmailEvents UrlClickEvents

Keywords

ConnectionsDevicesIntuneUserTLDMITRE ATT&CKTechniqueLinkResource DevelopmentStage CapabilitiesLink TargetDefender for EndpointSentinelSpamhausWorld's Most Abused TLDsZIPMOVGoogleTop Level DomainsEmailsEmailUrlInfoEmailEventsURL ClickEventsXYZ

Operators

isnotemptyextendiifindexof_regexwherein~replace_regexprojectsplitextracttypeofjoin

MITRE Techniques

Actions

GitHub