KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Human Operated Ransomware Attacks That Use RDP

Query

// Detect human-operated ransomware attacks that use RDP

// Microsoft Defender for Endpoint is now enhancing RDP data by adding a detailed layer of session information. This enhancement allows you to more easily identify potentially compromised devices within your organization. The new layer provides additional details about RDP sessions in the context of initiated activities, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.
// This update introduces 8 extra fields, represented as new columns in Advanced Hunting, and expands the schema across various tables: DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, and DeviceRegistryEvents.
// The following KQL query detects the IsInitiatingProcessRemoteSession == true field across 7 schema tables for all your MDE devices over the last hour. It then correlates this data against the ProcessRemoteSessionIP (the IP address of the remote device from which the created process’s RDP session was initiated). In a typical ransomware attack, a threat actor might use compromised admin credentials to launch RDP attacks against workstations reachable by the compromised endpoint. This KQL query helps identify any remote IPs that exceed the threshold for conducting RDP attacks.

// Define your Privileged Access Workstations (PAWs) IPs below
let PAW = dynamic (['127.0.0.1', '10.0.0.1', '10.0.0.2']);
let flag = "true"; // Initiating process was run under a remote desktop protocol (RDP) session = True
let TriggerThreshold = 5; // Define your threshold where a remote IP can initate RDP to perform the in below schema table 
search in (DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, 
DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents)
Timestamp between (ago(1h) .. now())
and (
IsInitiatingProcessRemoteSession == flag
)
| where not (ProcessRemoteSessionIP has_any (PAW))
| where ProcessRemoteSessionIP != ""
| summarize RemoteActivityIP=count() by ProcessRemoteSessionIP
| where RemoteActivityIP > TriggerThreshold

// #MicrosoftDefender #DefenderforCloud #Security #MicrosoftSecurity #Cybersecurity #DefenderXDR #MicrosoftThreatIntelligence

Explanation

This KQL query is designed to detect potential human-operated ransomware attacks that use Remote Desktop Protocol (RDP) within your organization. Here's a simplified summary of what the query does:

  1. Identify RDP Sessions: It looks for RDP sessions initiated on various devices within the last hour.
  2. Exclude Privileged Access Workstations (PAWs): It excludes known safe IP addresses (PAWs) from the results.
  3. Count RDP Sessions: It counts the number of RDP sessions initiated from each remote IP address.
  4. Threshold Check: It flags any remote IP address that initiates more than a specified number of RDP sessions (in this case, more than 5) as potentially suspicious.

In essence, this query helps you identify unusual RDP activity that could indicate a ransomware attack, by focusing on remote IPs that are initiating a high number of RDP sessions, excluding known safe IPs.

Details

Steven Lim profile picture

Steven Lim

Released: August 7, 2024

Tables

DeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEvents

Keywords

DevicesSecurityRansomwareRDPMicrosoftDefenderEndpointAdvancedHuntingDeviceEventsDeviceFileEventsDeviceImageLoadEventsDeviceLogonEventsDeviceNetworkEventsDeviceProcessEventsDeviceRegistryEventsThreatDetectionProactiveHuntingCybersecurity

Operators

letsearchinbetweenagonowand==has_any!=summarizeby>

Actions