Use Exposure Management To Identify Local Ntlm Hashes From Sensitive Users
Query
ExposureGraphEdges
| where EdgeLabel has "has credentials of"
| extend parsedData = parse_json(EdgeProperties)
| extend NTLMHash = parsedData.rawData.ntlmHash.ntlmHash
| where NTLMHash == "true"
| project SourceNodeName, SourceNodeLabel, TargetNodeName
| join (IdentityInfo
| where Tags has "Sensitive"
| project AccountDisplayName
)
on $left.TargetNodeName == $right.AccountDisplayName
| summarize by SourceNodeName, SourceNodeLabel, TargetNodeName, AccountDisplayNameAbout this query
Use Exposure Management to identify local NTLM hashes from Sensitive Users
Description
Using the Exposure Management from Defender XDR, the following query with help identify locally available NTLM hashes from users marked as Sensitive.
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Credential Access
- Technique ID: T1003
- OS Credential Dumping
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/08/2024 | Initial publish |
Explanation
Summary
This query is designed to identify NTLM hashes of sensitive users using Microsoft Defender XDR's Exposure Management. Here's a simplified breakdown:
- Data Source: The query starts by looking at
ExposureGraphEdges, which contains information about relationships and credentials. - Filter: It filters the data to find edges labeled with "has credentials of".
- Extract NTLM Hashes: It parses the edge properties to extract NTLM hash information.
- Check NTLM Hash Presence: It checks if the NTLM hash is present (indicated by "true").
- Project Relevant Fields: It selects relevant fields like source node name, source node label, and target node name.
- Join with Sensitive Users: It joins this data with
IdentityInfoto find users tagged as "Sensitive". - Summarize Results: Finally, it summarizes the results by source node name, source node label, target node name, and account display name.
Purpose
The goal is to identify local NTLM hashes associated with sensitive users, which could indicate potential credential access threats.
MITRE ATT&CK Mapping
- Tactic: Credential Access
- Technique ID: T1003 (OS Credential Dumping)
Versioning
- Version 1.0: Initial publish on 24/08/2024
