← ~/DETECTIONS

2024-05-30 // Dylan Evans

Potential Data Exfiltration via Ping.exe with Large Payloads

Defender XDR

Detects suspicious `ping.exe` executions with `/l` or `-l` flags and large payload sizes, indicating potential data exfiltration attempts.

data-exfiltrationprocess-injectionnetwork-exploitation

Potential Data Exfiltration via Ping.exe with Large Payloads

Overview

This detection identifies suspicious ping.exe executions using the /l or -l flag to enumerate remote hosts, combined with large payload sizes (>1KB), which may indicate malicious data exfiltration attempts. The query captures potential command-line arguments that bypass standard network checks and suggests lateral movement or credential abuse.

Query

DeviceProcessEvents
| where FileName =~ "ping.exe"
| where ProcessCommandLine has_any("-l", "/l")
| extend payload_size = extract(@"[-/][lL]\s+(\d+)", 1, ProcessCommandLine)
| extend RemoteIP = extract(@"\b\d{1,3}(?:\.\d{1,3}){3}\b", 0, ProcessCommandLine)
| extend RemoteURL = extract(@"(?:https?:\/\/)?(?:[^@\s]+@)?(?:www\.)?([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", 1, ProcessCommandLine)
| where isnotempty(payload_size) and toint(payload_size) > 1024
| project Timestamp, DeviceName, AccountName, RemoteIP, RemoteURL, payload_size, ProcessCommandLine

Logic Explanation

The query filters DeviceProcessEvents for:

  • FileName matching ping.exe
  • Command-line arguments containing -l or /l (indicating host enumeration)
  • Extracts the numeric payload size from these flags (e.g., -l 1024)
  • Parses potential remote IPs (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) and URLs (including HTTPS)
  • Applies thresholds: only events with payload_size > 1KB are retained
  • Returns structured output: timestamp, device name, account, remote targets, payload size, and full command line.

Tuning Notes

  • False positives: Legitimate network scans may use /l with small payloads (e.g., -l 64). Consider adjusting the threshold to >512 or >2048 based on environment.
  • IP/URL noise: Extracts all IPs/URLs from command lines, which could include benign targets. Filter by RemoteIP/RemoteURL being non-local or suspicious domains before alerting.

References