KQL Search

This KQL (Kusto Query Language) query is designed to detect a potential security threat known as RID Hijacking. Here's a simple breakdown of what the query does:

1. Identify New Local Accounts:

   • The query first looks at device events from the past hour (Timestamp > ago(1h)) to find instances where a new user account has been created (ActionType == "UserAccountCreated").
   • It specifically filters for accounts with a dollar sign (AccountName has "$"), which is often used in system accounts or hidden accounts.
   • It then collects a list of distinct device names (DeviceName) where these new accounts were created.

2. Check Registry for Suspicious Activity:

   • The query then examines registry events to see if there are any changes in a specific registry path related to user accounts (HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users).
   • It checks if any of these registry changes occurred on devices identified in the first step (DeviceName has_any(EPwithNewLocalAccount).

In summary, this query is looking for devices where new, potentially suspicious local accounts have been created and then checks if there have been any registry changes on those devices that could indicate RID Hijacking, a technique used by attackers to escalate privileges.