Created
May 16, 2021 14:39
-
-
Save alexverboon/2d0a521c29873db6f799a49f91b07039 to your computer and use it in GitHub Desktop.
Hunt for lolbins connecting to public ip addresses
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents | |
// T1218 Living of the land binaries connecting to the internet | |
// network activities with lolbins | |
DeviceNetworkEvents | |
| where RemoteIPType == 'Public' | |
| where InitiatingProcessFileName contains "Atbroker.exe" or | |
InitiatingProcessFileName contains "Bash.exe" or | |
InitiatingProcessFileName contains "Bitsadmin.exe" or | |
InitiatingProcessFileName contains "Certutil.exe" or | |
InitiatingProcessFileName contains "Cmdkey.exe" or | |
InitiatingProcessFileName contains "Cmstp.exe" or | |
InitiatingProcessFileName contains "Control.exe" or | |
InitiatingProcessFileName contains "Csc.exe" or | |
InitiatingProcessFileName contains "Cscript.exe" or | |
InitiatingProcessFileName contains "Dfsvc.exe" or | |
InitiatingProcessFileName contains "Diskshadow.exe" or | |
InitiatingProcessFileName contains "Dnscmd.exe" or | |
InitiatingProcessFileName contains "Esentutl.exe" or | |
InitiatingProcessFileName contains "Extexport.exe" or | |
InitiatingProcessFileName contains "Extrac32.exe" or | |
InitiatingProcessFileName contains "Expand.exe" or | |
InitiatingProcessFileName =~ "Explorer.exe" or | |
InitiatingProcessFileName contains "Findstr.exe" or | |
InitiatingProcessFileName contains "Forfiles.exe" or | |
InitiatingProcessFileName contains "Gpscript.exe" or | |
InitiatingProcessFileName contains "Hh.exe" or | |
InitiatingProcessFileName contains "Ieexec.exe" or | |
InitiatingProcessFileName contains "Ie4uinit.exe" or | |
InitiatingProcessFileName contains "Infdefaultinstall.exe" or | |
InitiatingProcessFileName contains "Installutil.exe" or | |
InitiatingProcessFileName contains "Makecab.exe" or | |
InitiatingProcessFileName contains "Mavinject.exe" or | |
InitiatingProcessFileName contains "Msbuild.exe" or | |
InitiatingProcessFileName contains "Msconfig.exe" or | |
InitiatingProcessFileName contains "Msdt.exe" or | |
InitiatingProcessFileName contains "Mshta.exe" or | |
InitiatingProcessFileName contains "Msiexec.exe" or | |
InitiatingProcessFileName contains "Netsh.exe" or | |
InitiatingProcessFileName contains "Nltest.exe" or | |
InitiatingProcessFileName contains "Odbcconf.exe" or | |
InitiatingProcessFileName contains "Openwith.exe" or | |
InitiatingProcessFileName contains "Pcalua.exe" or | |
InitiatingProcessFileName contains "Pcwrun.exe" or | |
InitiatingProcessFileName contains "Powershell.exe" or | |
InitiatingProcessFileName contains "Presentationhost.exe" or | |
InitiatingProcessFileName contains "Print.exe" or | |
InitiatingProcessFileName contains "Psr.exe" or | |
InitiatingProcessFileName =~ "Reg.exe" or | |
InitiatingProcessFileName contains "Regedit.exe" or | |
InitiatingProcessFileName contains "Regasm.exe" or | |
InitiatingProcessFileName contains "Register-cimprovider.exe" or | |
InitiatingProcessFileName contains "Regsvcs.exe" or | |
InitiatingProcessFileName contains "Regsvr32.exe" or | |
InitiatingProcessFileName contains "Replace.exe" or | |
InitiatingProcessFileName contains "Robocopy.exe" or | |
InitiatingProcessFileName contains "Rpcping.exe" or | |
InitiatingProcessFileName contains "Rundll32.exe" or | |
InitiatingProcessFileName contains "Runonce.exe" or | |
InitiatingProcessFileName contains "Runscripthelper.exe" or | |
InitiatingProcessFileName contains "Sc.exe" or | |
InitiatingProcessFileName contains "Scriptrunner.exe" or | |
InitiatingProcessFileName contains "Syncappvpublishingserver.exe" or | |
InitiatingProcessFileName contains "Wab.exe" or | |
InitiatingProcessFileName contains "Wmic.exe" or | |
InitiatingProcessFileName contains "Wscript.exe" or | |
InitiatingProcessFileName contains "Xwizard.exe" | |
// exclude legit urls | |
| where tostring(RemoteUrl) !endswith "windows.net" | |
| where tostring(RemoteUrl) !endswith "Microsoft.com" | |
| where tostring(RemoteUrl) !endswith "download.windowsupdate.com" | |
| where tostring(RemoteUrl) !endswith "citrixupdates.cloud.com" | |
| where tostring(RemoteUrl) !endswith "dev.azure.com" | |
| where tostring(RemoteUrl) !endswith "login.microsoftonline.com" | |
| where tostring(RemoteUrl) !endswith "client.wns.windows.com" | |
| where tostring(RemoteUrl) !endswith "dc.services.visualstudio.com" | |
| where tostring(RemoteUrl) !endswith "config.edge.skype.com" | |
| where tostring(RemoteUrl) !endswith "fp.measure.office.com" | |
| where tostring(RemoteUrl) !endswith "autologon.microsoftazuread-sso.com" | |
| where tostring(RemoteUrl) !endswith "wns.windows.com" | |
| where tostring(RemoteUrl) !endswith "office.com" | |
| where RemoteUrl != "outlook.office365.com" | |
| where RemoteUrl != "ecs.office.com" | |
| where tostring(RemoteUrl) !endswith "res.office365.com" | |
| where tostring(RemoteUrl) !endswith "officeapps.live.com" | |
| where RemoteUrl != "nexusrules.officeapps.live.com" | |
| where RemoteUrl != "ctldl.windowsupdate.com" | |
| where RemoteUrl != "provisioningapi.microsoftonline.com" | |
| where RemoteUrl != "secure.aadcdn.microsoftonline-p.com" | |
| where RemoteUrl != "clientconfig.microsoftonline-p.net" | |
| where RemoteUrl != "na1r.services.adobe.com" | |
| where RemoteUrl != "updates.logitech.com" | |
| where RemoteUrl != "ocsp.globalsign.com" | |
| where RemoteUrl != "ocsp.verisign.com" | |
// exclude legit processes | |
| where InitiatingProcessCommandLine != @"rundll32.exe C:\WINDOWS\system32\PcaSvc.dll,PcaPatchSdbTask" | |
| where InitiatingProcessCommandLine != @"rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask" | |
| where tostring(InitiatingProcessCommandLine) !contains @"Windows Defender Advanced Threat Protection\Downloads\UnicastScanner" | |
| where tostring(InitiatingProcessCommandLine) !contains @"Windows Defender Advanced Threat Protection\Downloads\MulticastScanner" | |
// | summarize count(RemoteUrl) by InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort | |
| distinct InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort | |
| sort by RemotePort |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment