NTL Mv2 Hash Leak Via COM Detection

// NTLMv2 Hash Leak via COM Detection // https://medium.com/@andreabocchetti88/ntlmv2-hash-leak-via-com-auto-execution-543919e577cb let QueryPeriod = 1h; let UserDeviceLogon = DeviceLogonEvents | where Timestamp > ago(QueryPeriod) | where ActionType == "LogonSuccess" and LogonType == "Interactive" | where parse_json(AdditionalFields)["IsLocalLogon"] == 'true' | distinct DeviceName; DeviceNetworkEvents | where Timestamp > ago(QueryPeriod) | where RemotePort == "445" and RemoteIPType == "Public" | where ActionType == "ConnectionSuccess" | where DeviceName has_any (UserDeviceLogon)

Explanation

This query is designed to detect potential NTLMv2 hash leaks via COM auto-execution. Here's a simplified explanation of what it does:

Define a Time Frame: The query looks at events that occurred within the last hour (QueryPeriod = 1h).
Identify Successful Local Logons:
- It searches for logon events (DeviceLogonEvents) where the logon was successful (LogonSuccess) and was done interactively (LogonType == "Interactive").
- It filters these events to include only those where the logon was local (IsLocalLogon is true).
- It then creates a list of distinct device names where these logons occurred.
Detect Network Connections:
- It examines network events (DeviceNetworkEvents) within the same time frame.
- It looks for successful network connections (ConnectionSuccess) to port 445, which is commonly used for SMB (Server Message Block) protocol.
- It filters these connections to include only those made to public IP addresses (RemoteIPType == "Public").
- Finally, it checks if these connections are coming from any of the devices identified in the successful local logons list.

In essence, the query is trying to find devices that have had a successful local logon and then made a successful network connection to a public IP on port 445, which could indicate a potential NTLMv2 hash leak.

KQL Search

NTL Mv2 Hash Leak Via COM Detection

Query

Explanation

Details

Actions