KQL Search

Query Details

HomeAI ToolsDevice Query

New Lateral Movement Path To Sensitive Account Identified

Query

# Hunt for newly identified lateral movement paths to sensitive accounts

## Query Information

#### Description
Defender For Identity identifies lateral movement paths to all sensitive accounts (if possible). This is similar to a Bloodhound output. A newly identified path can mean that a sensitive account can be taken over if the path is followed. 

#### References
- https://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths

## Defender For Endpoint

```
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
     Timestamp,
     LateralMovementPathToSensitiveAccount,
     FromAccount,
     DeviceName,
     AccountName,
     AccountDomain
```
## Sentinel
```
IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
     TimeGenerated,
     LateralMovementPathToSensitiveAccount,
     FromAccount,
     DeviceName,
     AccountName,
     AccountDomain
```

Explanation

The query is used to hunt for newly identified paths that indicate potential lateral movement to sensitive accounts. It retrieves information from the IdentityDirectoryEvents table and filters for events where the ActionType is "Potential lateral movement path identified". It then extracts and extends additional information from the AdditionalFields column, including the lateral movement path to the sensitive account and the account from which the movement originates. The query projects specific fields such as the timestamp, lateral movement path, account information, and device information. The query can be used in both Defender for Endpoint and Sentinel.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEvents,ActionType,Potentiallateralmovementpathidentified,AdditionalFields,ACTOR.ACCOUNT,FROM.ACCOUNT,Timestamp,DeviceName,AccountName,AccountDomain,TimeGenerated

Operators

whereextendparse_jsonproject

Actions