Adversaries may establish persistent network communication to a specific remote IP or URL as part of command and control operations. SOC teams should proactively hunt for this behavior to identify potential C2 activity and mitigate lateral movement risks in their Azure Sentinel environment.
KQL Query
// Query 3 allows you to find network communication to an IP or URL in the DeviceNetworkEvents table, as well as in DeviceEvents for other events (SmartScreen, launch browser with URL, more)
// Ensure to update RemoteIP and RemoteURL variable.
find in (DeviceEvents, DeviceNetworkEvents)
where RemoteIP == "IP ADDRESS GOES HERE" or RemoteUrl =~ "URL GOES HERE"
project DeviceName, ActionType, FileName, Timestamp
id: b18cae1a-d089-44b8-bf33-f135ee615f2a
name: Network footprint (2)
description: |
Query 1 shows you any network communication happened from endpoints to a specific Remote IP or Remote URL.
Ensure to update RemoteIP and RemoteURL variable.
For questions @MiladMSFT on Twitter or [email protected] by email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceEvents
query: |
// Query 3 allows you to find network communication to an IP or URL in the DeviceNetworkEvents table, as well as in DeviceEvents for other events (SmartScreen, launch browser with URL, more)
// Ensure to update RemoteIP and RemoteURL variable.
find in (DeviceEvents, DeviceNetworkEvents)
where RemoteIP == "IP ADDRESS GOES HERE" or RemoteUrl =~ "URL GOES HERE"
project DeviceName, ActionType, FileName, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell script) communicates with a remote IP or URL to check for updates or perform maintenance.
Filter/Exclusion: Exclude traffic originating from known system services or tasks (e.g., svchost.exe, taskhost.exe, or tasks with names like Windows Update or System Maintenance). Use a filter like:
process.name IN ("svchost.exe", "taskhost.exe", "Windows Update")Scenario: Remote Administration Tool (RDP) Session
Description: An administrator is using Remote Desktop Protocol (RDP) to connect to a remote server, which may result in network communication to the remote IP.
Filter/Exclusion: Exclude traffic associated with RDP sessions by checking for the presence of RDP-related processes or connections (e.g., mstsc.exe, rdpclip.exe). Use a filter like:
process.name IN ("mstsc.exe", "rdpclip.exe")Scenario: Cloud Backup or Sync Services
Description: A legitimate cloud backup tool (e.g., Veeam, Dell EMC Data Domain, or Microsoft Azure Backup) communicates with a remote server to sync or back up data.
Filter/Exclusion: Exclude traffic from known backup tools by checking the process name or connection destination. Example filter:
process.name IN ("VeeamBackup.exe", "AzureBackup.exe")
OR remote_ip IN ("<backup_server_ip>")Scenario: Software Update or Patching Jobs
Description: A patching or update job (e.g., Windows Server Update Services (WSUS), **