KQL Search

Query Details

HomeAI ToolsDevice Query

NTLM Network Logon To Critical Device

Query

# *NTLM Network Logon to Critical Device*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1078 | Valid Accounts | https://attack.mitre.org/techniques/T1078 |

#### Description

This rule detects NTLM network logon events to devices identified as critical (criticality score >= 3). This could indicate an adversary attempting to move laterally or access sensitive systems using NTLM authentication, which is generally less secure than Kerberos.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**


## Defender XDR
```KQL
let NetworkLogons = DeviceLogonEvents
	| where Timestamp > ago(4h)
	| where LogonType == "Network"
	| where Protocol == "NTLM"
	| extend ShortDeviceName = toupper(split(DeviceName, ".")[0]);
NetworkLogons
| join kind=inner (	ExposureGraphNodes
	| where Categories has "device"
	| where isnotnull(NodeProperties.rawData.criticalityLevel)
	| extend ShortNodeName = toupper(split(NodeName, ".")[0])
	| extend TargetCriticalityScore = toint(NodeProperties.rawData.criticalityLevel.criticalityLevel)
	| extend TargetCriticalityRule = tostring(NodeProperties.rawData.criticalityLevel.ruleName)
	| project ShortNodeName, TargetCriticalityScore, TargetCriticalityRule
) on $left.ShortDeviceName == $right.ShortNodeName
| where TargetCriticalityScore >= 3
```

Explanation

This query is designed to detect potentially suspicious network logon events using NTLM authentication on critical devices. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at logon events from devices, specifically focusing on events from the last 4 hours.

  2. Filter Criteria:

    • It filters these events to only include those where the logon type is "Network" and the authentication protocol used is "NTLM".
    • It extracts the short name of the device by taking the part of the device name before the first period and converting it to uppercase.

  3. Join with Critical Devices:

    • The query then joins this filtered logon data with another dataset that contains information about devices, specifically those marked as critical.
    • It checks if the device name from the logon events matches the device name in the critical devices list.

  4. Criticality Check:

    • It further filters the results to only include devices that have a criticality score of 3 or higher, indicating they are considered critical.

The purpose of this query is to identify NTLM network logons to critical devices, which could suggest an adversary is trying to move laterally or access sensitive systems using a less secure authentication method.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: May 27, 2026

Tables

DeviceLogonEventsExposureGraphNodes

Keywords

DeviceLogonEventsNetworkProtocolNTLMTimestampExposureGraphNodesCategoriesNodePropertiesCriticalityLevelCriticalityScoreRuleName

Operators

let|where>ago==extendtouppersplitjoinkind=innerhasisnotnulltointtostringprojecton>=

Actions