Hunt for lolbins connecting to public ip addresses

lolbinsnetworkpublic.kql

// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents
// T1218 Living of the land binaries connecting to the internet
// network activities with lolbins
DeviceNetworkEvents
| where RemoteIPType == 'Public'
| where InitiatingProcessFileName contains "Atbroker.exe" or
InitiatingProcessFileName contains "Bash.exe" or
InitiatingProcessFileName contains "Bitsadmin.exe" or
InitiatingProcessFileName contains "Certutil.exe" or
InitiatingProcessFileName contains "Cmdkey.exe" or
InitiatingProcessFileName contains "Cmstp.exe" or
InitiatingProcessFileName contains "Control.exe" or
InitiatingProcessFileName contains "Csc.exe" or
InitiatingProcessFileName contains "Cscript.exe" or
InitiatingProcessFileName contains "Dfsvc.exe" or
InitiatingProcessFileName contains "Diskshadow.exe" or
InitiatingProcessFileName contains "Dnscmd.exe" or
InitiatingProcessFileName contains "Esentutl.exe" or
InitiatingProcessFileName contains "Extexport.exe" or
InitiatingProcessFileName contains "Extrac32.exe" or
InitiatingProcessFileName contains "Expand.exe" or
InitiatingProcessFileName =~  "Explorer.exe" or
InitiatingProcessFileName contains "Findstr.exe" or
InitiatingProcessFileName contains "Forfiles.exe" or
InitiatingProcessFileName contains "Gpscript.exe" or
InitiatingProcessFileName contains "Hh.exe" or
InitiatingProcessFileName contains "Ieexec.exe" or
InitiatingProcessFileName contains "Ie4uinit.exe" or
InitiatingProcessFileName contains "Infdefaultinstall.exe" or
InitiatingProcessFileName contains "Installutil.exe" or
InitiatingProcessFileName contains "Makecab.exe" or
InitiatingProcessFileName contains "Mavinject.exe" or
InitiatingProcessFileName contains "Msbuild.exe" or
InitiatingProcessFileName contains "Msconfig.exe" or
InitiatingProcessFileName contains "Msdt.exe" or
InitiatingProcessFileName contains "Mshta.exe" or
InitiatingProcessFileName contains "Msiexec.exe" or
InitiatingProcessFileName contains "Netsh.exe" or
InitiatingProcessFileName contains "Nltest.exe" or
InitiatingProcessFileName contains "Odbcconf.exe" or
InitiatingProcessFileName contains "Openwith.exe" or
InitiatingProcessFileName contains "Pcalua.exe" or
InitiatingProcessFileName contains "Pcwrun.exe" or
InitiatingProcessFileName contains "Powershell.exe" or
InitiatingProcessFileName contains "Presentationhost.exe" or
InitiatingProcessFileName contains "Print.exe" or
InitiatingProcessFileName contains "Psr.exe" or
InitiatingProcessFileName =~  "Reg.exe" or
InitiatingProcessFileName contains "Regedit.exe" or
InitiatingProcessFileName contains "Regasm.exe" or
InitiatingProcessFileName contains "Register-cimprovider.exe" or
InitiatingProcessFileName contains "Regsvcs.exe" or
InitiatingProcessFileName contains "Regsvr32.exe" or
InitiatingProcessFileName contains "Replace.exe" or
InitiatingProcessFileName contains "Robocopy.exe" or
InitiatingProcessFileName contains "Rpcping.exe" or
InitiatingProcessFileName contains "Rundll32.exe" or
InitiatingProcessFileName contains "Runonce.exe" or
InitiatingProcessFileName contains "Runscripthelper.exe" or
InitiatingProcessFileName contains "Sc.exe" or
InitiatingProcessFileName contains "Scriptrunner.exe" or
InitiatingProcessFileName contains "Syncappvpublishingserver.exe" or
InitiatingProcessFileName contains "Wab.exe" or
InitiatingProcessFileName contains "Wmic.exe" or
InitiatingProcessFileName contains "Wscript.exe" or
InitiatingProcessFileName contains "Xwizard.exe"  
// exclude legit urls
| where tostring(RemoteUrl) !endswith "windows.net"
| where tostring(RemoteUrl) !endswith "Microsoft.com"
| where tostring(RemoteUrl) !endswith "download.windowsupdate.com"
| where tostring(RemoteUrl) !endswith "citrixupdates.cloud.com"
| where tostring(RemoteUrl) !endswith "dev.azure.com"
| where tostring(RemoteUrl) !endswith "login.microsoftonline.com"
| where tostring(RemoteUrl) !endswith "client.wns.windows.com"
| where tostring(RemoteUrl) !endswith "dc.services.visualstudio.com"
| where tostring(RemoteUrl) !endswith "config.edge.skype.com"
| where tostring(RemoteUrl) !endswith "fp.measure.office.com"
| where tostring(RemoteUrl) !endswith "autologon.microsoftazuread-sso.com"
| where tostring(RemoteUrl) !endswith "wns.windows.com"
| where tostring(RemoteUrl) !endswith "office.com"
| where RemoteUrl != "outlook.office365.com"
| where RemoteUrl != "ecs.office.com"
| where tostring(RemoteUrl) !endswith "res.office365.com"
| where tostring(RemoteUrl) !endswith "officeapps.live.com"
| where RemoteUrl != "nexusrules.officeapps.live.com"
| where RemoteUrl != "ctldl.windowsupdate.com"
| where RemoteUrl != "provisioningapi.microsoftonline.com"
| where RemoteUrl != "secure.aadcdn.microsoftonline-p.com"
| where RemoteUrl != "clientconfig.microsoftonline-p.net"
| where RemoteUrl != "na1r.services.adobe.com"
| where RemoteUrl != "updates.logitech.com"
| where RemoteUrl != "ocsp.globalsign.com"
| where RemoteUrl != "ocsp.verisign.com"
// exclude legit processes
| where InitiatingProcessCommandLine != @"rundll32.exe C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask"
| where InitiatingProcessCommandLine != @"rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask"
| where tostring(InitiatingProcessCommandLine) !contains @"Windows Defender Advanced Threat Protection\Downloads\UnicastScanner"
| where tostring(InitiatingProcessCommandLine) !contains @"Windows Defender Advanced Threat Protection\Downloads\MulticastScanner"
// | summarize count(RemoteUrl) by InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| distinct  InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| sort by RemotePort