Query Details

Rule : Possible Malware or C2 Activity

Possible Malware Activity

Query

let Lookback = 2h;
let C2Keywords = dynamic([
    "c2",
    "command and control",
    "botnet",
    "malware",
    "trojan",
    "ransomware",
    "backdoor",
    "beacon",
    "dns tunneling",
    "cobalt strike",
    "sliver",
    "meterpreter"
]);
let NetworkC2 = (
CommonSecurityLog
| where TimeGenerated >= ago(Lookback)
| extend DetectionText = strcat(Activity, " ", Message, " ", AdditionalExtensions)
| where tolower(DetectionText) has_any (C2Keywords)
| where isnotempty(SourceIP)
| where isnotempty(DestinationIP)
| where not(ipv4_is_private(DestinationIP))
| project
    NetworkTime = TimeGenerated,
    SourceIP,
    DestinationIP,
    DestinationPort,
    DeviceAction,
    Activity,
    Message);
let SuccessfulSignins = (
SigninLogs
| where TimeGenerated >= ago(Lookback)
| where ResultType == 0
| where isnotempty(IPAddress)
| project
    SigninTime = TimeGenerated,
    IPAddress,
    UserPrincipalName,
    AppDisplayName);
let AzureActions = (
AzureActivity
| where TimeGenerated >= ago(Lookback)
| where isnotempty(CallerIpAddress)
| project
    AzureActivityTime = TimeGenerated,
    CallerIpAddress,
    Caller,
    OperationNameValue,
    ActivityStatusValue);
NetworkC2
| join kind=leftouter SuccessfulSignins on $left.SourceIP == $right.IPAddress
| join kind=leftouter AzureActions on $left.SourceIP == $right.CallerIpAddress
| summarize
    FirstSeen = min(NetworkTime),
    LastSeen = max(NetworkTime),
    DestinationIPs = make_set(DestinationIP, 20),
    DestinationPorts = make_set(DestinationPort, 20),
    Activities = make_set(Activity, 20),
    DeviceActions = make_set(DeviceAction, 10),
    Users = make_set(UserPrincipalName, 10),
    SigninApps = make_set(AppDisplayName, 10),
    AzureCallers = make_set(Caller, 10),
    AzureOperations = make_set(OperationNameValue, 10),
    NetworkEventCount = count(),
    SigninCount = dcount(SigninTime),
    AzureActivityCount = dcount(AzureActivityTime)
    by SourceIP
| where NetworkEventCount >= 1
| extend Severity = case(
    AzureActivityCount > 0, "High",
    SigninCount > 0, "High",
    NetworkEventCount >= 3, "Medium",
    "Medium"
)
| extend AlertReason = case(
    AzureActivityCount > 0,
        "Possible Malware/C2 network activity from a source IP also seen in Azure activity.",
    SigninCount > 0,
        "Possible Malware/C2 network activity from a source IP also seen in successful sign-in logs.",
    NetworkEventCount >= 3,
        "Repeated Malware/C2 network indicators seen from the same source IP.",
    "Malware/C2 network indicator detected."
)
| project
    FirstSeen,
    LastSeen,
    Severity,
    AlertReason,
    SourceIP,
    DestinationIPs,
    DestinationPorts,
    Activities,
    DeviceActions,
    Users,
    SigninApps,
    AzureCallers,
    AzureOperations,
    NetworkEventCount,
    SigninCount,
    AzureActivityCount

About this query

Explanation

This query is designed to detect potential malware or command-and-control (C2) activity by analyzing network and cloud activity logs. Here's a simple breakdown of what it does:

  1. Purpose: The query aims to identify suspicious network activity that might indicate a device is infected with malware or is communicating with a malicious C2 server. It specifically looks for cases where the same IP address is involved in both suspicious network activity and legitimate cloud activities, like successful sign-ins or Azure operations.

  2. Detection Logic:

    • It searches through security logs for keywords related to malware or C2 activity, such as "c2", "botnet", "malware", etc.
    • It checks if the destination IP is external (not a private IP).
    • It correlates this network activity with successful sign-in logs and Azure activity logs to see if the same source IP is involved in legitimate cloud activities.
  3. Data Sources:

    • CommonSecurityLog: Used to find network events with potential malware/C2 indicators.
    • SigninLogs: Used to find successful sign-ins from the same source IP.
    • AzureActivity: Used to find Azure operations from the same source IP.
  4. Output:

    • The query summarizes the findings by listing the first and last time the suspicious activity was seen, the involved IP addresses, ports, activities, and users.
    • It assigns a severity level (High or Medium) based on the presence of Azure activity or sign-ins and the number of network events.
    • It provides an alert reason explaining why the activity is considered suspicious.
  5. MITRE ATT&CK Techniques: The query is related to techniques like Application Layer Protocol, Ingress Tool Transfer, and Dynamic Resolution, which are common in malware and C2 activities.

In essence, this query helps security teams identify potentially compromised hosts by correlating suspicious network activity with legitimate cloud activities, providing a higher confidence level in detecting threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 2, 2026

Tables

CommonSecurityLogSigninLogsAzureActivity

Keywords

CommonSecurityLogSigninLogsAzureActivityActivityMessageSourceIPDestinationIPDestinationPortDeviceActionThreatSeverityTimeGeneratedAdditionalExtensionsIPAddressUserPrincipalNameAppDisplayNameCallerIpAddressCallerOperationNameValueActivityStatusValueNetworkTimeSigninTimeAzureActivityTimeDetectionTextC2KeywordsNetworkC2SuccessfulSigninsAzureActions

Operators

letdynamicagostrcattolowerhas_anyisnotemptyipv4_is_privateprojectjoinkind=leftoutersummarizeminmaxmake_setcountdcountbywhereextendcase

MITRE Techniques

Actions

GitHub