Query Details

Find all the executed LDAP queries from a compromised device

MDI LDAP Queries By Compromised Device

Query

let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     TimeGenerated,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

About this query

Find all the executed LDAP queries from a compromised device

Defender XDR

let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     Timestamp,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

Sentinel

Explanation

The query is designed to identify all LDAP (Lightweight Directory Access Protocol) queries executed from a specific device that is suspected to be compromised. Here's a simplified breakdown of what the query does:

  1. Define the Compromised Device: The query specifies a device named "laptop1.com" as the compromised device from which LDAP queries are being investigated.

  2. Set the Time Frame: It looks at events that have occurred within the last 48 hours. This time frame can be adjusted by changing the value of SearchWindow.

  3. Filter Events: The query filters the data to include only those events that:

    • Occurred within the specified time frame.
    • Originated from the compromised device ("laptop1.com").
    • Used the LDAP protocol.
  4. Select Relevant Information: It then selects and displays specific details about each LDAP query, including:

    • The timestamp of when the query was executed.
    • The type of query.
    • The actual query executed.
    • The protocol used (LDAP).
    • The name of the compromised device.
    • The destination device name (where the query was directed).
    • The target account's UPN (User Principal Name).

The query is written for two different platforms, Defender XDR and Sentinel, with slight differences in the field names (Timestamp vs. TimeGenerated) but otherwise performs the same function on both platforms.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityQueryEvents

Keywords

IdentityQueryEventsTimestampQueryTypeQueryProtocolDeviceNameDestinationDeviceNameTargetAccountUpnTimeGenerated

Operators

letwhereagoproject

Actions

GitHub