Query Details
Security Event Potential Remote Desktop Tunneling
Query
SecurityEvent
| where EventID in (4624, 4625) and LogonType in (7, 10) and IpAddress has_any ("::1", "127.0.0.1")
| where not(LogonType == 7 and IpAddress == "127.0.0.1")
| project
TimeGenerated,
Computer,
Activity,
Account,
AccountType,
IpAddress,
Process,
LogonTypeName,
FailureReason,
Status,
SubStatus,
ElevatedToken,
VirtualAccount,
RestrictedAdminMode,
TargetLogonId,
TargetLinkedLogonId,
WorkstationName
Explanation
This query is looking at security events where the event ID is either 4624 or 4625, the logon type is either 7 or 10, and the IP address is either "::1" or "127.0.0.1". However, it excludes any events where the logon type is 7 and the IP address is "127.0.0.1".
For the events that meet these criteria, the query then displays the following information: the time the event was generated, the computer where the event occurred, the activity, the account involved, the type of account, the IP address, the process, the name of the logon type, the reason for failure (if any), the status, the sub-status, whether or not an elevated token was used, whether or not it was a virtual account, whether or not restricted admin mode was used, the target logon ID, the linked logon ID, and the workstation name.
Details
Jose Sebastián Canós
Released: August 21, 2023
Tables
Keywords
Operators