Query Details
Compromised Devices SMB
Query
let CompromisedDevices = dynamic([""]);
let SearchWindow = 7d; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName has_any (CompromisedDevices)
or RemoteUrl has_any (CompromisedDevices)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFolderPath !~ "C:\\Windows\\System32\\ntoskrnl.exe"Explanation
This query is searching for network events related to compromised devices. It looks at events that have occurred within a specified time window (customizable) and filters for events where the device name or remote URL matches any of the compromised devices. It further narrows down the results by only including events where the remote port is 445 and the action type is "ConnectionSuccess". Finally, it excludes events where the initiating process folder path does not match "C:\Windows\System32\ntoskrnl.exe".
Details
C.J. May
Released: September 27, 2022
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User,CompromisedDevices,SearchWindow,DeviceNetworkEvents,Timestamp,DeviceName,RemoteUrl,RemotePort,ActionType,InitiatingProcessFolderPath
Operators
letdynamicwhereagohas_anyor====!~