Query Details
MDI LDAP Queries By Compromised Device
Query
# Find all the executed LDAP queries from a compromised device
### Defender For Endpoint
```
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
Timestamp,
QueryType,
Query,
Protocol,
DeviceName,
DestinationDeviceName,
TargetAccountUpn
```
### Sentinel
```
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
TimeGenerated,
QueryType,
Query,
Protocol,
DeviceName,
DestinationDeviceName,
TargetAccountUpn
```
Explanation
The query is searching for all executed LDAP queries from a specific compromised device within a specified time window. It retrieves information such as the timestamp, query type, query itself, protocol used, device name, destination device name, and target account UPN.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
IdentityQueryEvents
Keywords
Keywords:IdentityQueryEvents,Timestamp,QueryType,Query,Protocol,DeviceName,DestinationDeviceName,TargetAccountUpn,TimeGenerated
Operators
whereago==project