New LOLBIN with external connection
New LOL Bin External Connection
Query
let LOLBins = dynamic(["AppInstaller.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmd.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]);
let ExcludedLolBins = dynamic(["Msedge.exe"]);
// List all lolbins that have made remote connection to public IPs between the last 30 and 2 days.
let KnownRemoteLolbins =
DeviceNetworkEvents
| where Timestamp between (ago(30d) .. ago(2d))
| where InitiatingProcessFileName in~ (LOLBins) and InitiatingProcessFileName !in~ (ExcludedLolBins)
// Only list public IP actions.
| where RemoteIPType == "Public"
| distinct InitiatingProcessFileName;
DeviceNetworkEvents
| where Timestamp > ago(2d)
// Filter KnownRemoteLolbins
| where InitiatingProcessFileName in~ (LOLBins) and InitiatingProcessFileName !in~ (ExcludedLolBins) and not(InitiatingProcessFileName in~ (KnownRemoteLolbins))
| where RemoteIPType == "Public"
// Enrich IP Information
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project-reorder Timestamp, DeviceName, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLineAbout this query
Explanation
This query is designed to identify unusual system binaries, known as LOLBins (Living Off The Land Binaries), that are making external network connections. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect rare or uncommon LOLBins that are making connections to external (public) IP addresses. These binaries are typically legitimate system tools that can be misused by attackers to perform malicious activities without raising suspicion.
-
Known LOLBins: The query starts by defining a list of known LOLBins, which are legitimate system binaries that can be used to execute commands or scripts. This list is based on the LOLBAS project, which documents such binaries.
-
Exclusions: Some LOLBins, like
msedge.exe, are excluded from the search because they frequently connect to external networks and could lead to false positives. -
Detection Window: The query looks for LOLBins that have made external connections within a specific timeframe:
- For Defender XDR, it checks connections made between 30 and 2 days ago.
- For Sentinel, it checks connections made between 90 and 2 days ago.
-
Filtering: It filters out LOLBins that have already been identified as making external connections within the specified timeframe, focusing on new or rare instances.
-
Public IPs: The query specifically looks for connections to public IP addresses, which could indicate communication with external servers.
-
Geolocation: For the detected connections, the query enriches the data with geolocation information, such as country, state, city, latitude, and longitude, to provide more context about the external connections.
-
Output: The results include details like the timestamp of the connection, the device name, the remote IP address, the initiating process file name, and the command line used to initiate the connection.
Overall, this query helps security teams identify potentially malicious activities by detecting unusual network behaviors of system binaries that are not commonly expected to make external connections.
Details

Bert-Jan Pals
Released: July 20, 2025
Tables
Keywords
Operators
MITRE Techniques