Potential Beaconing Activity
Query
let DeviceThreshold = 5;
let ConnectionThreshold = 25;
let GlobalPrevalanceThreshold = 250;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where not(ipv4_is_private(RemoteIP))
| where ActionType == 'ConnectionSuccessAggregatedReport'
| extend Connections = toint(parse_json(AdditionalFields).uniqueEventsAggregated)
| summarize Total = count(), Devices = dcount(DeviceId), Domains = make_set(RemoteUrl), AvgConnections = avg(Connections) by RemoteIP, bin(TimeGenerated, 1d)
| where AvgConnections >= ConnectionThreshold and Devices <= DeviceThreshold
| join kind=inner (DeviceNetworkEvents
| where ActionType == 'ConnectionSuccess'
| distinct RemoteIP, InitiatingProcessSHA256) on RemoteIP
| invoke FileProfile(InitiatingProcessSHA256)
| where GlobalPrevalence <= GlobalPrevalanceThresholdAbout this query
Explanation
This query is designed to detect potential malicious activity, specifically Command & Control (C2) beaconing, by analyzing network connections. Here's a simplified breakdown:
-
Objective: The query aims to identify suspicious remote IP addresses that might be involved in C2 communication. This is done by looking for IPs that receive a high number of connections from a small number of devices, which is a common pattern in malware communication.
-
Process:
- Data Source: It examines network events from the past 7 days.
- Filtering: It excludes private IP addresses and focuses on successful connection reports.
- Aggregation: It calculates the average number of connections to each remote IP and counts how many different devices are connecting to it.
- Thresholds: It flags IPs with an average of at least 25 connections from 5 or fewer devices.
- Enrichment: It checks the processes initiating these connections against a global database to see how common they are. Processes with low global prevalence are more suspicious.
-
Risk: Detecting beaconing is crucial because it indicates that an attacker might be maintaining a connection to a compromised device, potentially to issue commands or steal data. Early detection can help mitigate the threat.
-
Tools: The query is compatible with both Defender XDR and Sentinel, two security platforms.
In essence, this query helps security teams identify potential threats by spotting unusual network behavior that could indicate malware communication.
