Query Details
MDI Lateral Movement By Compromised Accounts
Query
# Find which devices have been accessed by a list of compromised accounts and which protocol was used to connect ---- ### Defender For Endpoint ``` let ComprimsedUsers = dynamic(['user1', 'user2']); let SearchWindow = 48h; //Customizable h = hours, d = days IdentityLogonEvents | where Timestamp > (now() - SearchWindow) | where AccountName has_any (ComprimsedUsers) | where isnotempty(TargetDeviceName) | where ActionType == "LogonSuccess" | project Timestamp, AccountName, Protocol, TargetDeviceName ``` ### Sentinel ``` let ComprimsedUsers = dynamic(['user1', 'user2']); let SearchWindow = 48h; //Customizable h = hours, d = days IdentityLogonEvents | where TimeGenerated > (now() - SearchWindow) | where AccountName has_any (ComprimsedUsers) | where isnotempty(TargetDeviceName) | where ActionType == "LogonSuccess" | project TimeGenerated, AccountName, Protocol, TargetDeviceName ```
Explanation
The query is searching for devices that have been accessed by compromised user accounts and determining the protocol used for the connection. It looks at logon events within a specified time window and filters for successful logons by the compromised accounts. The query then projects the timestamp (or time generated in Sentinel), account name, protocol, and target device name for the identified logon events.
Details
Bert-Jan Pals
Released: May 10, 2023
Tables
IdentityLogonEvents
Keywords
Devices,Intune,User,Timestamp,AccountName,Protocol,TargetDeviceName,SearchWindow,ComprimsedUsers,IdentityLogonEvents,ActionType,TimeGenerated
Operators
letdynamicwherehas_anyisnotemptyproject