Native Windows Tools with External Internet Connections (FDR)
Detects connections to external IPs (non-RFC1918) originating from native Windows administration and scripting tools, a basic LOTL pattern for payload download or C2 communication
EDRlotlc2exfiltrationwindows-nativefdrT1105T1071.001T1218
FDR Beginnerby CQL Hub 2 min read
Query
#repo="base_sensor" #event_simpleName=NetworkConnectIP4
| regex(field=ImageFileName, regex="(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|bitsadmin|certutil|regsvr32|rundll32)\.exe$")
| not regex(field=RemoteAddressIP4, regex="^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.|::1|fd)")
| groupBy([ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort], function=count(as=connections))
| sort(connections, order=desc, limit=40)Explanation
| Pipe | Description | ||||
|---|---|---|---|---|---|
#repo="base_sensor" #event_simpleName=NetworkConnectIP4 | Outbound IPv4 network connection events from FDR | ||||
| `regex(field=ImageFileName, ...cmd\ | powershell\ | wscript\ | mshta\ | certutil...)` | List of network-capable LOLBins: scripting interpreters and native download utilities |
not regex(field=RemoteAddressIP4, ...RFC1918...) | Excludes private ranges (10.x, 172.16-31.x, 192.168.x), loopback and link-local; only alert on public IPs | ||||
groupBy([ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort], ...) | Groups by all key fields to identify which tool connects to which external IP on which port | ||||
sort(connections, order=desc, limit=40) | Sorts by number of connections to detect persistent C2 activity or repeated downloads |
Adjustable Variables
Add IPs of corporate proxies or known CDNs to the not regex exclusion to reduce false positives. Filter RemotePort=80 OR 443 if only web traffic is of interest. In environments with a lot of legitimate scripting (Ansible, SCCM), exclude by UserName or ParentBaseFileName of management tools.