Forum Discussion
Threats > August 2019 RDP update advisory > Hunting Query
Hi!
In the "August 2019 RDP update advisory" threat page, there is a hunting query:
// Find unusual processes with outbound connections to TCP port 3389
NetworkCommunicationEvents
| where RemotePort == 3389
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe",
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe",
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe",
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe",
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "",
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" )
and InitiatingProcessFolderPath !has "program files"
and InitiatingProcessFolderPath !has "winsxs"
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("127.0.0.1", "::1")
| summarize ComputerNames = make_set(ComputerName),
ListofMachines = make_set(MachineId),
make_set(EventTime),
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName,
InitiatingProcessSHA1, bin(EventTime, 1d)
I am unable to create a detection rule based off this query alone:
"Unable to save detection rule
The query does not return the following columns that are required to create a detection rule:
MachineId
ReportId "
Can someone hit me up with a modified query that you can create a detection rule on?
Hi Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportIdThe makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with
,ReportId, MachineIdbut I would go for the first oneHappy Hunting
- Mattias BorgBrass Contributor
Hi Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportIdThe makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with
,ReportId, MachineIdbut I would go for the first oneHappy Hunting- Maximilian Grandahl LærumBrass ContributorThanks!