KQL Search

Query Details

HomeAI ToolsDevice Query

Identifying File Exfiltration Via RDP Sessions

Query

**Identifying File Exfiltration via RDP Sessions**

**Description:** The following KQL query focuses on detecting cases where files are created, modified, or otherwise accessed via RDP from another computer. Its main objective is to verify whether, during an RDP session, the connection has mapped a local disk or other redirected device — allowing us to easily identify potential cases of data exfiltration through RDP file transfer.

```
DeviceFileEvents
| where FolderPath startswith "\\\\tsclient" and isnotempty(InitiatingProcessRemoteSessionIP)
| extend geo_info= tostring(geo_info_from_ip_address(InitiatingProcessRemoteSessionIP).country)
| project Timestamp,RemoteIP=InitiatingProcessRemoteSessionIP,geo_info,External_Device=InitiatingProcessRemoteSessionDeviceName,DeviceId,Connected_to=DeviceName, ActionType, FileName, FolderPath,InitiatingProcessVersionInfoFileDescription,RequestAccountName, RequestAccountDomain, IsInitiatingProcessRemoteSession, InitiatingProcessSessionId,ReportId
```

Explanation

This KQL query is designed to detect potential data exfiltration activities during Remote Desktop Protocol (RDP) sessions. Here's a simplified explanation of what it does:

  1. Data Source: It looks at events related to file activities on devices (DeviceFileEvents).

  2. Filter Criteria: It specifically filters for file activities occurring in folders that start with \\tsclient, which indicates that the files are being accessed through a redirected local disk during an RDP session. Additionally, it checks that there is an IP address associated with the initiating process, confirming that the action is happening over a remote session.

  3. Geo-Location: The query extracts geographical information (country) from the IP address of the initiating process to provide context about where the remote session is originating from.

  4. Data Projection: It selects and displays specific details about each event, including:

    • The time it occurred (Timestamp).
    • The remote IP address (RemoteIP).
    • The country of origin (geo_info).
    • The name of the external device involved (External_Device).
    • The ID of the device where the event occurred (DeviceId).
    • The name of the device connected to (Connected_to).
    • The type of action performed (ActionType).
    • The name and path of the file involved (FileName, FolderPath).
    • Information about the process that initiated the action (InitiatingProcessVersionInfoFileDescription).
    • The account name and domain used in the request (RequestAccountName, RequestAccountDomain).
    • Session details (IsInitiatingProcessRemoteSession, InitiatingProcessSessionId).
    • A report identifier (ReportId).

Overall, this query helps identify suspicious file activities that could indicate data being transferred out of a network via RDP, which is a common method for data exfiltration.

Details

Sergio Albea profile picture

Sergio Albea

Released: October 15, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsRDPSessionIPAddressCountryDeviceNameActionTypeFileNameFolderPathAccountNameAccountDomainSessionIdReportId

Operators

DeviceFileEventswherestartswithisnotemptyextendtostringgeo_info_from_ip_addressproject

Actions