Forum Discussion

evmillercf's avatar
evmillercf
Copper Contributor
Apr 13, 2023

Kusto Query: Clipboard access during RDP session

Greetings Tech Community,   I am a Threat Hunting newb, as well as a newb to Kusto / Microsoft Sentinel. I also don't have any experience with SQL, but I do have a little experience with Splunk. I ...
SuryaJ's avatar
SuryaJ
Icon for Microsoft rankMicrosoft
Apr 17, 2023
Can you paste some records for reference here from DeviceLogonEvents table? Does this table have DLL call information in a column?
  • evmillercf's avatar
    evmillercf
    Copper Contributor
    Apr 19, 2023

    SuryaJ 

     

    The RDP Session query does not have DLL information in it. I am operating on the fact that the RDP Session will provide a LogonId (session ID) variable that I can than filter on in the Clipboard query (the default found in MS Sentinel), so that the intersection of the two provides a manageable number of results.

     

    I cannot post actual data due to security concerns, however, the RDP session data looks like this:

     

    Device Name     RemoteDeviceName     LogonId     RemoteIP     RemoteIPType     RemotePort     Count

    <computername>     <blank>     <6222631367>     10.xxx.xxx.xxx     Private     <port number>     1

     

    If I try to add this line after line 4 to the query:

     

    | where ActionType contains "GetClipboardData"

     

    I get zero hits ("No results found in the specificed time frame."); this may not be an indication of an incorrect query, rather it could mean there just aren't any RDP sessions with the DLL call. However, I doubt that is the case.

Resources