Query Details
Zero Logon Ports
Query
//Ports accessed by Zerologon DeviceNetworkEvents | where RemotePort == 135 or RemotePort between (49670 .. 49680) | summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl | project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl
Explanation
This query is looking for ports accessed by Zerologon. It filters the DeviceNetworkEvents table to only include events where the RemotePort is either 135 or between 49670 and 49680. It then summarizes the data by finding the earliest event for each combination of DeviceId, DeviceName, RemoteIP, and RemoteUrl. It also creates a set of unique RemotePorts for each combination. Finally, it renames some of the columns in the result.
Details
Rod Trent
Released: November 30, 2020
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,RemotePort,Timestamp,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessAccountSid,ReportId,DeviceId,DeviceName,RemoteIP,RemoteUrl,SourceComputerName,SourceDeviceId,TargetDeviceIP,TargetComputerName
Operators
whereorbetweensummarizearg_minmake_setbyproject-rename