KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Possible Unusual Remote Session In A Domain Controller

Query

let query_frequency = 1h;
let query_period = 14d;
let _DomainControllers = toscalar(
    _GetWatchlist("Service-PrivateCorporateServices")
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
union
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4673 and Computer has_any (_DomainControllers)// and Process has "svchost.exe"
    | summarize
        Count = count(),
        arg_min(TimeGenerated, *) by Computer, Account, Process
    | where TimeGenerated > ago(query_frequency)
    ),
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4674 and Computer has_any (_DomainControllers)
    | where (ObjectType has "Key" and (
            ObjectName has_all (@"\REGISTRY\USER\", @"_Classes\Local Settings\MuiCache\")
            or ObjectName has_all (@"\REGISTRY\USER\", @"\Software\Microsoft\Windows\CurrentVersion\CloudStore")
            or ObjectName has @"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters"))
        or ObjectName has_all (@"\BaseNamedObjects\", @"WilStaging")
    | summarize
        Count = count(),
        ObjectNames = array_sort_asc(make_set(ObjectName, 50)),
        arg_min(TimeGenerated, *) by Computer, Account, ObjectType
    | where TimeGenerated > ago(query_frequency)
    ),
    (
    SecurityEvent
    | where TimeGenerated > ago(query_period)
    | where EventID == 4688 and Computer has_any (_DomainControllers) and not(TargetAccount has_any (@"Window Manager\DWM-", @"Font Driver Host\UMFD-"))// and NewProcessName has "wsmprovhost.exe"
    | summarize
        Count = count(),
        NewProcessNames = array_sort_asc(make_set(NewProcessName, 50)),
        arg_min(TimeGenerated, *) by Computer, TargetAccount
    | where TimeGenerated > ago(query_frequency)
    )
| sort by Activity asc, Computer asc, Account asc, TargetAccount asc, TimeGenerated asc
| project
    TimeGenerated,
    Computer,
    AccountType,
    Account,
    TargetAccount,
    Activity,
    Count,
    ObjectType,
    ObjectNames,
    NewProcessNames,
    AccessMask,
    ProcessName,
    PrivilegeList,
    SubjectLogonId,
    EventData

Explanation

This KQL query is designed to monitor and analyze specific security events related to domain controllers over a specified period. Here's a simplified breakdown of what the query does:

  1. Setup Variables:

    • query_frequency: Sets the frequency for recent data to 1 hour.
    • query_period: Sets the total period for data analysis to 14 days.
    • _DomainControllers: Retrieves a list of domain controllers from a watchlist named "Service-PrivateCorporateServices" where the service is "DomainController".

  2. Event Analysis:

    • The query combines three different event types from the SecurityEvent table using a union operation:
      • Event ID 4673: Monitors privileged service operations on domain controllers. It counts occurrences and captures the earliest instance of each event by computer, account, and process.
      • Event ID 4674: Monitors attempts to access registry keys and named objects on domain controllers. It filters for specific registry paths and named objects, counts occurrences, and captures the earliest instance by computer, account, and object type.
      • Event ID 4688: Monitors new process creations on domain controllers, excluding certain target accounts. It counts occurrences and captures the earliest instance by computer and target account.

  3. Filtering and Sorting:

    • Each event type is filtered to include only events that occurred within the last hour (query_frequency).
    • The results are sorted by activity, computer, account, target account, and time generated in ascending order.

  4. Projection:

    • The final output includes selected fields: TimeGenerated, Computer, AccountType, Account, TargetAccount, Activity, Count, ObjectType, ObjectNames, NewProcessNames, AccessMask, ProcessName, PrivilegeList, SubjectLogonId, and EventData.

In summary, this query is used to track and analyze specific security-related activities on domain controllers over a two-week period, with a focus on recent events from the last hour. It helps identify potentially suspicious activities by examining privileged operations, registry access, and process creation events.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 30, 2025

Tables

SecurityEvent

Keywords

SecurityEventDomainControllersComputerAccountProcessObjectTypeObjectNameTargetAccountNewProcessNameActivityTimeGeneratedAccountTypeAccessMaskPrivilegeListSubjectLogonIdEventData

Operators

lettoscalar_GetWatchlistwherehas_anysummarizecountarg_minagoarray_sort_ascmake_setnotsortprojectunion

Actions