Forum Discussion

evmillercf's avatar
evmillercf
Copper Contributor
Apr 13, 2023

Kusto Query: Clipboard access during RDP session

Greetings Tech Community,

 

I am a Threat Hunting newb, as well as a newb to Kusto / Microsoft Sentinel. I also don't have any experience with SQL, but I do have a little experience with Splunk. I need some help building (what I believe will be) a complex Kusto query. I apologize in advance if I say something that is completely off-base or doesn't make sense (see newb qualifications above).

 

My environment is fairly large (100K+ endpoints), so filtering the results down to a number that is manageable for human review is crucial. I am trying to improve my entity's security coverage by setting up a weekly alert for Clipboard access during an RDP session either via the Powershell command "Get-Clipboard" or the DLL call "GetClipboardData". ATM, the entity does not have scriptblock logging turned on for endpoints, so I am deferring adding the Powershell component to my query. I am using the default Clipboard query found in Azure Sentinel to target the DLL call. I hit a wall when it comes to limiting the search results to DLL calls that occur during an RDP session with a successful logon. 

 

For the successful logon query, I have the following:

 

DeviceLogonEvents

| where Timestamp > ago(7d)

| where LogonType == "RemoteInteractive"

| where ActionType == "LogonSuccess"

| summarize Count = count() by DeviceName, RemoteDeviceName, RemoteIP, RemoteIPType, LogonId

| where Count <= 5

| sort by Count asc, DeviceName asc

 

I am assuming/hoping that the Logon filter and the Clipboard filter are correct, but I don't know how to combine the two to get the final results I want: access to the target system clipboard during a successful RDP session. 

 

I hope this makes sense, and I hope someone can help me.

 

EvCF

2 Replies

  • SuryaJ's avatar
    SuryaJ
    Icon for Microsoft rankMicrosoft
    Apr 17, 2023
    Can you paste some records for reference here from DeviceLogonEvents table? Does this table have DLL call information in a column?
    • evmillercf's avatar
      evmillercf
      Copper Contributor
      Apr 19, 2023

      SuryaJ 

       

      The RDP Session query does not have DLL information in it. I am operating on the fact that the RDP Session will provide a LogonId (session ID) variable that I can than filter on in the Clipboard query (the default found in MS Sentinel), so that the intersection of the two provides a manageable number of results.

       

      I cannot post actual data due to security concerns, however, the RDP session data looks like this:

       

      Device Name     RemoteDeviceName     LogonId     RemoteIP     RemoteIPType     RemotePort     Count

      <computername>     <blank>     <6222631367>     10.xxx.xxx.xxx     Private     <port number>     1

       

      If I try to add this line after line 4 to the query:

       

      | where ActionType contains "GetClipboardData"

       

      I get zero hits ("No results found in the specificed time frame."); this may not be an indication of an incorrect query, rather it could mean there just aren't any RDP sessions with the DLL call. However, I doubt that is the case.

Resources