Security Event Unexpected Network Share Access In A Domain Controller

let query_frequency = 1h; let query_period = 14d; let _DomainControllers = toscalar( _GetWatchlist("Service-PrivateCorporateServices") | where Service == "DomainController" | summarize make_list(HostName) ); let _ExpectedRemoteSessionAccounts = toscalar( _GetWatchlist("Activity-ExpectedSignificantActivity") | where Activity == "DomainControllerRemoteSession" and Notes has "[NetworkShareAccess]" | summarize make_list(ActorPrincipalName) ); let _ExpectedIPs = toscalar( _GetWatchlist("Service-PrivateCorporateServices") | where Notes has "[PAM]" | summarize make_list(IPAddress) ); SecurityEvent | where TimeGenerated > ago(query_period) | where EventID == 5140 and Computer has_any (_DomainControllers) and not(ShareName in (@"\\*\SYSVOL", @"\\*\IPC$", @"\\*\NETLOGON")) | summarize arg_min(TimeGenerated, *) by Computer, Account, IpAddress, ShareLocalPath, ShareName | where TimeGenerated > ago(query_frequency) | where not(AccountType == "Machine" and IpAddress in ("127.0.0.1", "::1") and split(Account, @"\")[-1] == strcat(split(Computer, ".")[0], "$")) | where not(Account in (_ExpectedRemoteSessionAccounts) and IpAddress in (_ExpectedIPs)) | project TimeGenerated, Computer, AccountType, Account, IpAddress, Activity, ShareName, ShareLocalPath, ObjectType, SubjectLogonId, AccessList, AccessMask, EventData

Explanation

This KQL query is designed to monitor and identify unusual network share access activities on domain controllers within a corporate environment. Here's a simplified breakdown of what the query does:

Setup Timeframes:
- query_frequency is set to 1 hour, meaning the query looks for events that happened in the last hour.
- query_period is set to 14 days, meaning the query considers events from the last 14 days.
Identify Domain Controllers:
- It retrieves a list of hostnames for domain controllers from a watchlist named "Service-PrivateCorporateServices."
Identify Expected Remote Session Accounts:
- It retrieves a list of accounts expected to perform significant activities, specifically remote sessions on domain controllers, from a watchlist named "Activity-ExpectedSignificantActivity."
Identify Expected IP Addresses:
- It retrieves a list of expected IP addresses associated with privileged access management (PAM) from the same watchlist used for domain controllers.
Filter Security Events:
- The query filters SecurityEvent logs to find events with ID 5140 (indicating network share access) that occurred on the identified domain controllers.
- It excludes common administrative shares like SYSVOL, IPC$, and NETLOGON from consideration.
Identify Unusual Access:
- It further filters these events to find the earliest occurrence for each combination of computer, account, IP address, and share path.
- It excludes events where:
  - The account type is "Machine" and the IP address is a loopback address (127.0.0.1 or ::1) with a matching machine account name.
  - The account and IP address are both in the lists of expected remote session accounts and expected IPs.
Output:
- The query projects relevant details of the filtered events, such as the time generated, computer name, account type, account name, IP address, activity, share name, share local path, object type, subject logon ID, access list, access mask, and event data.

In summary, this query is used to detect potentially unauthorized or unexpected network share access activities on domain controllers by filtering out expected and benign activities.

Details

Jose Sebastián Canós

Released: October 7, 2025

Tables

_GetWatchlistSecurityEvent

Keywords

DomainControllers RemoteSessionAccounts IPs SecurityEvent Computer Account IpAddress ShareLocalPath ShareName AccountType Activity ObjectType SubjectLogonId AccessList AccessMask EventData

Operators

lettoscalar_GetWatchlistwheresummarizemake_listhasagohas_anynotinarg_minbysplitstrcatproject

KQL Search