KQL Search

Query Details

HomeAI ToolsDevice Query

MDE Device Rename

Query

# MDE - Device Rename

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078 | Initial Access: Valid Accounts | https://attack.mitre.org/techniques/T1078/ |

### Description

Use the below queries to identify Windows devices that have been renamed

#### References

- [Valid Accounts](https://attack.mitre.org/techniques/T1078/)
- [Windows Netlogon Elevation of Privilege Vulnerability - CVE-2024-38124](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38124)

### Microsoft Defender XDR

Detect device rename using Defender for Endpoint logs

```kql
let DeviceMultipleNames = (
DeviceInfo
| where isnotempty( HardwareUuid)
| summarize arg_max(Timestamp,*), ComputerNames = make_set(DeviceName), DeviceNameCount = dcount(DeviceName) by HardwareUuid
| where DeviceNameCount > 1
| project Timestamp,  ComputerNames, HardwareUuid);
DeviceMultipleNames
```

Detect device rename when device is AD joined (Requires Defender for Identity)

```kql
IdentityDirectoryEvents
| where ActionType == @"Account Name changed"
| extend FROM_Account_Name = tostring(AdditionalFields.["FROM Account Name"])
| extend TO_Account_Name = tostring(AdditionalFields.["TO Account Name"])
| project TimeGenerated, FROM_Account_Name, TO_Account_Name, ActionType, TargetDeviceName 
```

Explanation

This query is designed to identify Windows devices that have been renamed, which can be an indicator of unauthorized access or configuration changes. It uses Microsoft Defender for Endpoint and Defender for Identity logs to detect such changes.

  1. Detecting Device Renames with Defender for Endpoint:

    • The first part of the query checks for devices that have multiple names associated with the same hardware UUID. This is done by summarizing the data to find devices with more than one name, indicating a rename event.

  2. Detecting Account Name Changes with Defender for Identity:

    • The second part of the query looks for events where an account name has been changed on devices that are joined to Active Directory. This involves filtering identity directory events to find changes in account names, which could also signal a device rename.

Overall, these queries help in monitoring and detecting potential security incidents related to device renaming in a Windows environment.

Details

Alex Verboon profile picture

Alex Verboon

Released: October 9, 2024

Tables

DeviceInfoIdentityDirectoryEvents

Keywords

DeviceInfoIdentityDirectoryEventsHardwareUuidComputerNamesDeviceNameTimestampActionTypeAccountNameAdditionalFieldsTargetDeviceName

Operators

letisnotemptysummarizearg_maxmake_setdcountbywhereprojectextendtostring==

Actions