Windows Executables Making Suspicious Outbound Connections
Basic query to detect Windows executables located in temporary or download directories establishing outbound network connections, useful for identifying newly downloaded malware contacting command and control servers
EDRnetwork-connectionsc2suspicious-pathsbeginnerT1071.001
FDR Beginnerby CQL Hub 1 min read
Query
#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| ImageFileName=/(?i)(\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\).*\.exe$/
| select([timestamp, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort])
| RemotePort != 0
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4], function=[count(as=connections), min(timestamp, as=first_seen)])
| sort(connections, order=desc, limit=30)Explanation
| Pipe | Descripción | |
|---|---|---|
#repo="base_sensor" #event_simpleName=NetworkConnectIP4 | Filtra eventos de conexión de red IPv4 desde telemetría FDR de endpoints | |
ImageFileName=/(?i)(...)/ | Selecciona ejecutables ubicados en directorios temporales o de descargas, rutas comunes de malware | |
select([...]) | Proyecta campos relevantes: host, usuario, ejecutable, IP destino y puerto | |
RemotePort != 0 | Excluye conexiones con puerto cero (eventos de escucha o incompletos) | |
| `groupBy([...]) \ | sort(...)` | Agrupa por host, ejecutable e IP destino para identificar comunicaciones persistentes C2, ordenado por volumen |
Adjustable Variables
ImageFileName: añadir rutas sospechosas adicionales como '\\ProgramData\\' o '\\Users\\Public\\'; RemotePort: filtrar puertos específicos como 443, 8080, 4444; limit: aumentar para entornos grandes