What Changed
Added new hunting query targeting evasive network execution contexts through cryptographic identity baselining. Detects processes making first-time outbound connections outside a 14-day baseline.
Detection Logic
Uses DeviceFileCertificateInfo, DeviceNetworkEvents, and DeviceInfo tables to build identity profiles based on InitiatingProcessFileName + cryptographic Signer (requiring IsSigned == true and IsTrusted == true). Compares 24-hour activity against 14-day baseline using anti-join pattern, surfacing first-time network connections by verified process identities.
Includes performance optimizations with early isnotempty() filtering and comprehensive entity mappings for Host, Account, IP, Process, and FileHash.
MITRE Mapping
- T1055 (Process Injection): Targets DLL sideloading via legitimate signed binaries
- T1071 (Application Layer Protocol): Detects C2 communication through reputable processes
- T1095 (Non-Application Layer Protocol): Captures anomalous network patterns
Note: Query includes alertDetailsOverride and severity fields typically used for Analytic Rules rather than Hunting Queries—may require schema validation review.
Affected Files
Hunting Queries/Microsoft 365 Defender/Command and Control/First-TimeNetworkConnectionByUnusualProcess.yaml