Rare or low-prevalent outgoing, successful IPv4 connections from non-browser processes
Rare Outgoing I Pv4 Connections
Query
// Author: Alex Teixeira ([email protected])
// Query walkthrough: https://ateixei.medium.com/f5bfdc0d55d6?source=friends_link&sk=7f5d56cf3a85c126992ce866dd864b86
let ExcludedNets = datatable(ExcludedNet: string)
['100.0.0.0/16', '200.200.200.0/24'];
search in (DeviceNetworkEvents) "tcp" and "connectionsuccess" and "public"
// Set the time scope
| where Timestamp > ago(30d)
// For this initial hunt, focus on plain IPv4 target resources only, no URLs
| where isempty(RemoteUrl)
// Consume the list of CIDRs to exclude (consider doing it after summarize as well)
| evaluate ipv4_lookup(ExcludedNets, RemoteIP, ExcludedNet, return_unmatched = true)
| where isempty(ExcludedNet)
// What if a malicious process actually matches those?
// So be sure to cover that with other use cases.
| where not(InitiatingProcessFileName matches regex @'(?i)^(msedge|chrome|firefox)\.exe$')
| where (Protocol == "Tcp" and ActionType == "ConnectionSuccess" and RemoteIPType == "Public") and InitiatingProcessFileName endswith ".exe" and not(RemotePort in (80, 443))
// Lower-case the process name to keep unique entries in the output
| extend InitiatingProcessFileName=tolower(InitiatingProcessFileName)
| summarize
Hashes=make_set(InitiatingProcessMD5),
DeviceCount=count_distinct(DeviceId),
SampleProcess=any(InitiatingProcessCommandLine),
SampleRemoteIP=any(RemoteIP),
Ports=make_set(RemotePort) by InitiatingProcessFileName
// To make it even more strict, decrease the number to narrow the results
| where DeviceCount < 4
| extend RemoteIP_country = tostring(parse_json(geo_info_from_ip_address(SampleRemoteIP)).country)
| sort by DeviceCount ascAbout this query
Explanation
This query is designed to identify unusual or rare outgoing network connections from non-browser processes on your network. Here's a simple breakdown of what the query does:
-
Scope and Data Source: It searches through network event logs to find successful TCP connections to public IP addresses.
-
Time Frame: The query focuses on events from the last 30 days.
-
Filter Criteria:
- It excludes connections to certain IP ranges (specified in
ExcludedNets). - It ignores connections initiated by common web browsers like Edge, Chrome, and Firefox.
- It only considers processes that are executable files (
.exe) and excludes connections to standard web ports (80 and 443).
- It excludes connections to certain IP ranges (specified in
-
Data Processing:
- It converts process names to lowercase to ensure uniqueness.
- It summarizes the data by counting how many different devices initiated these connections and collects various details like process hashes, command lines, remote IPs, and ports used.
-
Result Filtering: The query only includes processes observed on fewer than four devices, highlighting rare or unusual activity.
-
Output: It provides a list of processes with details about their network connections, sorted by the number of devices they were observed on, and includes the country of the remote IP address.
The goal is to detect potentially malicious activities, such as remote access tools (RATs) or command and control (C2) communications, by identifying uncommon network behaviors.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators