List oubound conhost connections

Query Information

Description

List outbound conhost connections.

Risk

It is unexpected that conhost makes connections to external domains.

References

https://kqlquery.com/
https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules
example link 3

Defender For Endpoint

let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))

Sentinel

let ValidDomains = dynamic(['.microsoft.com', '.digicert.com']);
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "conhost.exe"
| where not(ipv4_is_private(RemoteIP) or RemoteIP == "127.0.0.1")
| where not(RemoteUrl has_any (ValidDomains))

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OutboundConhostConnection.md

OutboundConhostConnection.md

List oubound conhost connections

Query Information

Description

Risk

References

Defender For Endpoint

Sentinel

Files

OutboundConhostConnection.md

Latest commit

History

OutboundConhostConnection.md

File metadata and controls

List oubound conhost connections

Query Information

Description

Risk

References

Defender For Endpoint

Sentinel