Forum Discussion

Jacques van Zijl's avatar
Jacques van Zijl
Icon for Microsoft rankMicrosoft
Apr 30, 2019

how do i quarry a process in Kusto for MATP (Microsoft advance threat protection)

Hi guys,

I'm pretty new to the channel and also kusto quarrying so my apologies if i do get things wrong, i have done some research and i'm trying to build a Kusto quarry to detect when a program starts and if it connects to a IP Address and ports its using, here is the scenario  

 

Program: AnyDesk ( https://anydesk.com/en/ )

 

ok here is my code so far.

 

ProcessCreationEvents 

| where ProcessCommandLine contains 'AnyDesk.exe' or InitiatingProcessCommandLine contains 'AnyDesk.exe' 

| where InitiatingProcessCommandLine !contains 'svchost.exe'

| project EventTime, ComputerName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, MachineId, ReportId

| sort by EventTime

 

but what i also want to include if possible is the ip address it connects to and port, here is the code i got but its not working.

 

this is running on a Windows 10 machine not in the cloud

 

 

 

4 Replies

  • Daniel Naim's avatar
    Daniel Naim
    Former Employee
    May 02, 2019

    Jacques van Zijl 

    Hi, hope you are all good!

    This is Daniel from MDATP.

     

    You started off great, ProcessCreationEvents is a great source to get information about process creation events. But, as I understand from your case, you are more interested in adding network communication data. This is why I would suggest taking a look at the NetworkCommunicationEvents table. I would use the initiating process file name in case you want to include only AnyDesk process communication event and to exclude the svchost events. For the remote destination you can use the following fields as well:

    • RemoteUrl
    • RemoteIP
    • RemotePort
    • LocalPort

    It should look something like that:

    NetworkCommunicationEvents

    | where InitiatingProcessFileName =~'AnyDesk.exe'

    | where InitiatingProcessFileName != 'svchost.exe'

    | where RemoteUrl in "bing.com"

    | project EventTime, ComputerName, InitiatingProcessAccountName , InitiatingProcessCommandLine, MachineId, ReportId, RemoteIP, RemotePort

    | take 10

     

    Let me know if that's helps!

    • Jacques van Zijl's avatar
      Jacques van Zijl
      Icon for Microsoft rankMicrosoft
      May 02, 2019

      Daniel Naim ok good news its a better report thank you for that, question why is it showing AnyDesk.exe failed to establish connection with 172.107.198.38:80 but i do have a connection?? see attached screen shot

      • Daniel Naim's avatar
        Daniel Naim
        Former Employee
        May 12, 2019
        Failed to established connection means that in this instance the connection didn't go through. If you do have a successful connection from this process to this IP this can appear later in time in advanced hunting or machine timeline