2024-05-30 // Dylan Evans
Potential Data Exfiltration via Ping.exe with Large Payloads
Defender XDRDetects suspicious `ping.exe` executions with `/l` or `-l` flags and large payload sizes, indicating potential data exfiltration attempts.
data-exfiltrationprocess-injectionnetwork-exploitation
Potential Data Exfiltration via Ping.exe with Large Payloads
Overview
This detection identifies suspicious ping.exe executions using the /l or -l flag to enumerate remote hosts, combined with large payload sizes (>1KB), which may indicate malicious data exfiltration attempts. The query captures potential command-line arguments that bypass standard network checks and suggests lateral movement or credential abuse.
Query
DeviceProcessEvents
| where FileName =~ "ping.exe"
| where ProcessCommandLine has_any("-l", "/l")
| extend payload_size = extract(@"[-/][lL]\s+(\d+)", 1, ProcessCommandLine)
| extend RemoteIP = extract(@"\b\d{1,3}(?:\.\d{1,3}){3}\b", 0, ProcessCommandLine)
| extend RemoteURL = extract(@"(?:https?:\/\/)?(?:[^@\s]+@)?(?:www\.)?([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", 1, ProcessCommandLine)
| where isnotempty(payload_size) and toint(payload_size) > 1024
| project Timestamp, DeviceName, AccountName, RemoteIP, RemoteURL, payload_size, ProcessCommandLine
Logic Explanation
The query filters DeviceProcessEvents for:
- FileName matching
ping.exe - Command-line arguments containing
-lor/l(indicating host enumeration) - Extracts the numeric payload size from these flags (e.g.,
-l 1024) - Parses potential remote IPs (
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) and URLs (including HTTPS) - Applies thresholds: only events with
payload_size > 1KBare retained - Returns structured output: timestamp, device name, account, remote targets, payload size, and full command line.
Tuning Notes
- False positives: Legitimate network scans may use
/lwith small payloads (e.g.,-l 64). Consider adjusting the threshold to>512or>2048based on environment. - IP/URL noise: Extracts all IPs/URLs from command lines, which could include benign targets. Filter by
RemoteIP/RemoteURLbeing non-local or suspicious domains before alerting.
References
- Microsoft Sentinel: Process Injection Detection
- MITRE ATT&CK: Command-Line Automation (T1059)