Query Details

Security Event Possible Unusual Remote Session In A Domain Controller

Query

let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
let _ExpectedRemoteSessionAccounts = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "DomainControllerRemoteSession"
    | summarize make_list(ActorPrincipalName)
);
let _ExpectedIPs = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Notes has "[PAM]"
    | summarize make_list(IPAddress)
);
union
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4673 and Computer has_any (_DomainControllers)// and Process has "svchost.exe"
    | summarize
        Count = count(),
        arg_min(TimeGenerated, *)
        by Computer, Account, Process
    | where TimeGenerated > ago(query_frequency)
    ),
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4674 and Computer has_any (_DomainControllers)
    | where (ObjectType has "Key" and (
            ObjectName has_all (@"\REGISTRY\USER\", @"_Classes\Local Settings\MuiCache\")
            or ObjectName has_all (@"\REGISTRY\USER\", @"\Software\Microsoft\Windows\CurrentVersion\CloudStore")
            or ObjectName has @"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"))
        or ObjectName has_all (@"\BaseNamedObjects\", @"WilStaging")
    | summarize
        Count = count(),
        ObjectNames = array_sort_asc(make_set(ObjectName, 50)),
        arg_min(TimeGenerated, *)
        by Computer, Account, ObjectType
    | where TimeGenerated > ago(query_frequency)
    ),
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4688 and Computer has_any (_DomainControllers) and not(TargetAccount has_any (@"Window Manager\DWM-", @"Font Driver Host\UMFD-"))// and NewProcessName has "wsmprovhost.exe"
    | summarize
        Count = count(),
        NewProcessNames = array_sort_asc(make_set(NewProcessName, 50)),
        arg_min(TimeGenerated, *)
        by Computer, Account, TargetAccount
    | where TimeGenerated > ago(query_frequency)
    )
| join kind=leftouter (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where Computer has_any (_DomainControllers) and EventID == 4624 and not(LogonType in (3))
    | project
        Logon_TimeGenerated = TimeGenerated,
        Computer,
        Account,
        Logon_IpAddress = IpAddress,
        TargetLogonId
    ) on Computer, Account, $left.SubjectLogonId == $right.TargetLogonId
| project-away *1
| where not(Account in (_ExpectedRemoteSessionAccounts) and Logon_IpAddress in (_ExpectedIPs))
| where not(EventID == 4688 and TargetAccount in (_ExpectedRemoteSessionAccounts))
| sort by Activity asc, Computer asc, Account asc, TargetAccount asc, TimeGenerated asc
| project
    TimeGenerated,
    Computer,
    AccountType,
    Account,
    TargetAccount,
    Activity,
    Count,
    ObjectType,
    ObjectNames,
    NewProcessNames,
    AccessMask,
    ProcessName,
    PrivilegeList,
    SubjectLogonId,
    TargetLogonId,
    Logon_TimeGenerated,
    Logon_IpAddress,
    EventData

Explanation

This query is designed to monitor and analyze security events related to domain controllers over a specified period. Here's a simplified breakdown of what it does:

  1. Setup and Definitions:

    • It defines a query_frequency of 1 hour and a query_period of 14 days.
    • It retrieves lists of domain controllers, expected remote session accounts, and expected IP addresses from specific watchlists.
  2. Event Collection:

    • It collects security events (Event IDs 4673, 4674, and 4688) from the past 14 days that involve domain controllers.
    • For each event type:
      • Event ID 4673: Privilege use events are summarized by computer, account, and process.
      • Event ID 4674: Object access events are summarized by computer, account, and object type, focusing on specific registry and object names.
      • Event ID 4688: New process creation events are summarized by computer, account, and target account, excluding certain system accounts.
  3. Logon Event Join:

    • It joins these events with logon events (Event ID 4624) to correlate activities with logon sessions, excluding network logons (LogonType 3).
  4. Filtering:

    • It filters out events involving expected remote session accounts and expected IP addresses.
    • It also excludes certain process creation events involving expected remote session accounts.
  5. Sorting and Projection:

    • The results are sorted by activity, computer, account, target account, and time.
    • It projects a set of relevant fields for further analysis, such as time generated, computer, account details, activity count, object names, process names, and logon details.

In essence, this query helps identify unusual or unexpected security events on domain controllers by comparing them against known expected behaviors and configurations.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 22, 2025

Tables

_GetWatchlistSecurityEvent

Keywords

QueryFrequencyPeriodDomainControllersExpectedRemoteSessionAccountsExpectedIPsSecurityEventTimeGeneratedEventIDComputerAccountProcessObjectTypeObjectNameTargetAccountLogonTypeLogonTimeGeneratedIpAddressTargetLogonIdActivityAccountTypeAccessMaskProcessNamePrivilegeListSubjectLogonIdEventData

Operators

lettoscalar_GetWatchlistwheresummarizemake_listagounionhas_anycountarg_minhas_allarray_sort_ascmake_setnotjoinkindprojectinproject-awaysortbyasc

Actions

GitHub