Match Windows Inet API call

Hunt Hypothesis

Adversaries may use Windows Inet API calls to exfiltrate data or establish command and control channels, which could indicate covert network activity. SOC teams should proactively hunt for these calls in Azure Sentinel to identify potential data exfiltration or C2 attempts that may evade traditional detection methods.

YARA Rule

rule Str_Win32_Internet_API
{

    meta:
        author = "@adricnet"
        description = "Match Windows Inet API call"
        method = "String match, trim the As"
        reference = "https://github.com/dfirnotes/rules"

    strings:
        $wininet_call_closeh = "InternetCloseHandle"
        $wininet_call_readf = "InternetReadFile"
        $wininet_call_connect = "InternetConnect"
        $wininet_call_open = "InternetOpen"

    condition:
        (any of ($wininet_call*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/dfirnotes/rules
• Source Rule

False Positive Guidance

• Scenario: Legitimate Windows Update Process
  Description: The Windows Update service may make Inet API calls to download updates.
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or WindowsUpdate.exe and filter out calls to known Microsoft update servers (e.g., update.microsoft.com).

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task may use the Inet API to fetch configuration or script files from an internal server.
  Filter/Exclusion: Filter by ProcessName like schtasks.exe or Task Scheduler and check the DestinationIP against internal IP ranges.

• Scenario: Admin Using PowerShell to Fetch External Scripts
  Description: An administrator may use PowerShell to download scripts or configuration files from a trusted external source.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check the CommandLine for Invoke-WebRequest or Invoke-RestMethod with known trusted domains.

• Scenario: Antivirus or Endpoint Protection Software Scanning
  Description: Antivirus tools may use the Inet API to download virus definitions or updates.
  Filter/Exclusion: Filter by ProcessName containing mpsvc.exe, mfev.exe, or avast (or other vendor-specific names) and check the DestinationIP against known vendor servers.

• Scenario: Internal Monitoring Tool Polling External Metrics
  Description: A monitoring tool like Datadog or New Relic may make Inet API calls to external metrics endpoints.
  Filter/Exclusion: Filter by ProcessName containing datadog-agent.exe or newrelic-infra.exe and check the DestinationIP against known monitoring service IPs or domains.