Query Details
Non Familiar DHCP Domains Detection
Query
//This query detects when device TCPIP configurations are modified to use non-trusted DHCP domains //Helps identify when devices are using potentially unsafe networks (airports, hotels, coffee shops) //Important for protecting sensitive data access until VPN or enterprise DHCP domain is confirmed DeviceRegistryEvents | where RegistryKey contains "tcpip" | where RegistryValueName contains "dhcpdomain" // to reduce the number of false positive, I moved out localIPs, results with "." to reduce the number of local home routers and specific country | where RegistryValueData !contains "192." and RegistryValueData contains "." and RegistryValueData !endswith ".es"
Explanation
This query is designed to identify when a device's TCP/IP settings are changed to use DHCP domains that are not trusted. This is important because it can indicate that the device is connected to potentially unsafe networks, such as those found in public places like airports, hotels, or coffee shops. The goal is to protect sensitive data until a secure connection, like a VPN or an enterprise DHCP domain, is established.
Here's a breakdown of what the query does:
-
Source of Data: It looks at events related to changes in the device's registry, specifically those involving TCP/IP configurations.
-
Filtering Criteria:
- It checks for registry keys related to "tcpip" and values associated with "dhcpdomain".
- It excludes configurations that involve IP addresses starting with "192." to avoid false positives from local networks.
- It ensures the DHCP domain contains a period (".") to filter out local home routers.
- It excludes domains ending with ".es" to avoid specific country-related domains.
Overall, the query aims to detect potentially unsafe network configurations by focusing on changes to DHCP settings that do not match trusted patterns.
Details
Sergio Albea
Released: November 10, 2024
Tables
Keywords
Operators