Query Details

Threat Hunting for inbound connections from malicious IPs on internet facing devices

Behavior Inbound Connection From Malicious IP

Query

// Collect Threat Intel feed information from Ipsum (Level 4), more threat can be used. For examples see TI feeds on the page: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/Threat%20Hunting
let ThreatIntelFeed = externaldata(DestIP: string)[@"https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt"] with (format="txt", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let MaliciousIP = materialize (
       ThreatIntelFeed
       | where DestIP matches regex IPRegex
       | distinct DestIP
        );
// Collect the last information from each device which is internet facing.
let InternetFacingInformation = DeviceInfo
| extend InternetFacingInfo  = AdditionalFields
// Parse all additional fields to queryable columns
| extend  InternetFacingReason = extractjson("$.InternetFacingReason", InternetFacingInfo, typeof(string)), InternetFacingLocalPort = extractjson("$.InternetFacingLocalPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicPort = extractjson("$.InternetFacingScannedPublicPort", InternetFacingInfo, typeof(int)), InternetFacingScannedPublicIp = extractjson("$.InternetFacingScannedPublicIp", InternetFacingInfo, typeof(string)), InternetFacingLocalIp = extractjson("$.InternetFacingLocalIp", InternetFacingInfo, typeof(string)),    InternetFacingTransportProtocol=extractjson("$.InternetFacingTransportProtocol", InternetFacingInfo, typeof(string)), InternetFacingLastSeen = extractjson("$.InternetFacingLastSeen", InternetFacingInfo, typeof(datetime))
// Collect the max argument for each internet facing port
| summarize arg_max(Timestamp, *) by DeviceId, InternetFacingLocalPort
| where IsInternetFacing
| project DeviceId, InternetFacingLocalIp, InternetFacingLocalPort, InternetFacingReason;
// Collect the network related information for incomming connections
DeviceNetworkEvents
// Only display connections where an inbound connection has been accepted.
| where ActionType == 'InboundConnectionAccepted'
// Only show the devices that are internet facing, by joinint that information.
| join kind=inner InternetFacingInformation on $left.DeviceId == $right.DeviceId
// Make sure that the incomming connection is done to a port which is internet facing
| where LocalPort == InternetFacingLocalPort
// Filter on IPs that exsist in the Threat Intelligence Feed
| where RemoteIP in (MaliciousIP)
// If you do not want to see incomming SMTP (mail) actions remove the comment below
// | where LocalPort != 25
| project-rename ThreatIntelligenceIP=RemoteIP
| project-reorder Timestamp, DeviceName, ThreatIntelligenceIP, LocalPort, InitiatingProcessFileName

About this query

Explanation

This query is designed to help identify potentially malicious inbound connections to internet-facing devices within a network. Here's a simplified breakdown of what the query does:

  1. Threat Intelligence Feed: It starts by pulling in a list of known malicious IP addresses from an external threat intelligence source called Ipsum, specifically using Level 4 data. This list helps identify suspicious IPs that might be trying to connect to your network.

  2. Internet-Facing Devices: The query then gathers information about devices in your network that are exposed to the internet. This includes details like the local IP address, the port that is open, and the reason why the device is internet-facing.

  3. Network Events: It looks at network events to find instances where an inbound connection was accepted by these internet-facing devices.

  4. Matching Ports: The query ensures that the inbound connection was made to a port that is actually open and internet-facing on the device, reducing false positives.

  5. Malicious IP Check: It filters these connections to only show those coming from IPs listed in the threat intelligence feed, indicating potential malicious activity.

  6. Exclusions: There's an option to exclude connections on port 25, which is typically used for email (SMTP), to avoid false positives from legitimate email traffic.

  7. Output: The final output lists details such as the timestamp of the connection, the device name, the malicious IP address, the local port used, and the process that initiated the connection.

Overall, this query helps security teams identify and investigate suspicious inbound connections to their network's internet-facing devices, potentially indicating an attempted or successful breach.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

ThreatIntelFeedDeviceInfoDeviceNetworkEvents

Keywords

ThreatIntelligenceIPDeviceNetworkEventsInternetFacingInformation

Operators

externaldatawithmatches regexdistinctmaterializeextendextractjsontypeofsummarizearg_maxbywhereprojectjoin kind=inneroninproject-renameproject-reorder

Actions

GitHub