Forum Discussion

Maximilian Grandahl Lærum's avatar
Aug 21, 2019

Threats > August 2019 RDP update advisory > Hunting Query

Hi! 

In the "August 2019 RDP update advisory" threat page, there is a hunting query:

 

 

// Find unusual processes with outbound connections to TCP port 3389 
NetworkCommunicationEvents 
| where RemotePort == 3389 
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe", 
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe", 
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe", 
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe", 
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", 
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" ) 
and InitiatingProcessFolderPath  !has "program files" 
and InitiatingProcessFolderPath !has "winsxs" 
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("127.0.0.1", "::1")
| summarize ComputerNames = make_set(ComputerName), 
ListofMachines = make_set(MachineId), 
make_set(EventTime), 
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName, 
InitiatingProcessSHA1, bin(EventTime, 1d)

 

 

I am unable to create a detection rule based off this query alone:

 

"Unable to save detection rule
The query does not return the following columns that are required to create a detection rule:

MachineId
ReportId "

 

 

Can someone hit me up with a modified query that you can create a detection rule on?

  • Hi Maximilian Grandahl Lærum ,

    Replace the summarize row with instead (and remove the rest).

    | project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportId

    The makeset function is grouping result and by changing you will get per machine instead.

    Another solution would be to append the last original line with 

    ,ReportId, MachineId
    but I would go for the first one
     
    Happy Hunting

     

  • Mattias Borg's avatar
    Mattias Borg
    Brass Contributor

    Hi Maximilian Grandahl Lærum ,

    Replace the summarize row with instead (and remove the rest).

    | project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportId

    The makeset function is grouping result and by changing you will get per machine instead.

    Another solution would be to append the last original line with 

    ,ReportId, MachineId
    but I would go for the first one
     
    Happy Hunting

     

Resources