Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device
Detect Suspicious Ncrypt Usage With Suspicious Rdp Session
Query
let cli_tools = dynamic(["powershell", "python"]);
// Get suspicious ncrypt.dll usage via WDAC audit policy
let time_lookback = 1h;
let no_tpm_devices = (
ExposureGraphNodes
// Get device nodes with their inventory ID
| where NodeLabel == "device"
| mv-expand EntityIds
| where EntityIds.type == "DeviceInventoryId"
// Get interesting properties
| extend OnboardingStatus = tostring(parse_json(NodeProperties)["rawData"]["onboardingStatus"]),
TpmSupported = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["supported"]),
TpmEnabled = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["enabled"]),
TpmActivated = tostring(parse_json(NodeProperties)["rawData"]["tpmData"]["activated"]),
DeviceName = tostring(parse_json(NodeProperties)["rawData"]["deviceName"]),
DeviceId = tostring(EntityIds.id)
// Search for distinct devices
| distinct DeviceId, DeviceName, OnboardingStatus, TpmSupported, TpmEnabled, TpmActivated
// Get Unmanaged devices and device not supporting a TPM
| where OnboardingStatus != "Onboarded" or (TpmSupported != "true" and TpmActivated != "true" and TpmEnabled != "true")
| extend TpmSupported = iff(TpmSupported == "", "unknown", TpmSupported),
TpmActivated = iff(TpmActivated == "", "unknown", TpmActivated),
TpmEnabled = iff(TpmEnabled == "", "unknown", TpmEnabled)
);
let no_tpm_device_info = (
DeviceNetworkInfo
| where Timestamp > ago(7d)
// Get latest network info for each device ID
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(IPAddresses)
| extend IPAddress = tostring(IPAddresses.IPAddress)
// Find no TPM devices and join with their network information
| join kind=inner no_tpm_devices on DeviceId
| project DeviceId, DeviceName, MacAddress, IPAddress, OnboardingStatus, TpmActivated, TpmEnabled, TpmSupported
);
let dangerous_rdp_sessions = (
DeviceNetworkEvents
| where Timestamp > ago(time_lookback)
// Exclude MDI RDP Connections (known for NNR)
| where InitiatingProcessFileName !~ "microsoft.tri.sensor.exe"
// Search for RDP connections to non-tpm devices
| where ActionType == "ConnectionSuccess"
| where RemotePort == 3389
| join kind=inner no_tpm_device_info on $left.RemoteIP == $right.IPAddress
| project-rename RemoteDeviceId = DeviceId1,
RdpRemoteDeviceName = DeviceName1,
RdpRemoteMacAddress = MacAddress,
RdpRemoteDeviceOnboardingStatus = OnboardingStatus,
RdpRemoteDeviceTpmActivated = TpmActivated,
RdpRemoteDeviceTpmEnabled = TpmEnabled,
RdpRemoteDeviceTpmSupported = TpmSupported,
RdpTimeGenerated = Timestamp,
RdpInitiatingProcessFileName = InitiatingProcessFileName
| project-away IPAddress
);
// Get all possible nonce requests
let nonce_requests = (
DeviceNetworkEvents
| where Timestamp > ago(time_lookback)
| where ActionType == "ConnectionSuccess"
| where RemoteUrl =~ "login.microsoftonline.com"
| project-rename NonceRequestTimestamp = Timestamp
);
// Get suspicious ncrypt.dll usage via WDAC audit policy
DeviceEvents
| where Timestamp > ago(time_lookback)
| where ActionType startswith "AppControl" and FileName =~ "ncrypt.dll"
// Check if the same initiating process is doing a nonce request
| join kind=inner nonce_requests on InitiatingProcessId, DeviceId
// Only flag when nonce was request 10min before of after ncrypt usage
| where Timestamp between (todatetime(NonceRequestTimestamp - 10m) .. todatetime(NonceRequestTimestamp + 10m))
// Check if the same device is doing RDP Connections
| join kind=inner dangerous_rdp_sessions on DeviceId
// Whitelist known good processes
| where InitiatingProcessFileName !in ("backgroundtaskhost.exe","svchost.exe")
// Project interesting columns
| extend WdacPolicyName = parse_json(AdditionalFields)["PolicyName"]
| project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessSHA1, InitiatingProcessFileName,
InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessParentFileName, WdacPolicyName, InitiatingProcessRemoteSessionDeviceName, InitiatingProcessRemoteSessionIP,
NonceRequestTimestamp, RdpTimeGenerated, RdpInitiatingProcessFileName, RdpRemoteDeviceName, RdpRemoteMacAddress, RdpRemoteDeviceOnboardingStatus,
RdpRemoteDeviceTpmActivated, RdpRemoteDeviceTpmEnabled, RdpRemoteDeviceTpmSupportedAbout this query
Explanation
This query is designed to detect suspicious activities involving the use of the ncrypt.dll file in conjunction with Remote Desktop Protocol (RDP) connections to devices that are either unmanaged or not protected by a Trusted Platform Module (TPM). Here's a simplified breakdown of what the query does:
-
Identify Unmanaged or Non-TPM Devices:
- The query first identifies devices that are either not onboarded (unmanaged) or do not support/enable/activate TPM. These devices are considered less secure.
-
Gather Network Information:
- It collects the latest network information for these identified devices, including their IP addresses and other relevant details.
-
Detect RDP Connections:
- The query looks for successful RDP connections (port 3389) to these less secure devices. It excludes known benign processes like
microsoft.tri.sensor.exefrom this search.
- The query looks for successful RDP connections (port 3389) to these less secure devices. It excludes known benign processes like
-
Monitor
ncrypt.dllUsage:- It tracks the usage of
ncrypt.dllthrough Windows Defender Application Control (WDAC) audit logs. This DLL is associated with cryptographic operations and could be used maliciously.
- It tracks the usage of
-
Check for Nonce Requests:
- The query checks for connections to
login.microsoftonline.com, which might indicate attempts to authenticate or generate tokens.
- The query checks for connections to
-
Correlate Events:
- It correlates the
ncrypt.dllusage with nonce requests and RDP connections. Specifically, it looks for nonce requests occurring within 10 minutes before or after thencrypt.dllusage.
- It correlates the
-
Filter Out Known Good Processes:
- The query excludes known benign processes like
backgroundtaskhost.exeandsvchost.exeto reduce false positives.
- The query excludes known benign processes like
-
Output Relevant Information:
- Finally, it outputs relevant details about the suspicious activities, including timestamps, device names, process details, and TPM status.
The overall goal of this query is to detect potential security threats where an attacker might be using a script (like hellopoc.ps1 from RoadTools) to exploit Windows Hello for Business keys via RDP sessions to vulnerable devices.
Details

Robbe Van den Daele
Released: April 26, 2025
Tables
Keywords
Operators