SOLVED

Threats > August 2019 RDP update advisory > Hunting Query

%3CLINGO-SUB%20id%3D%22lingo-sub-814322%22%20slang%3D%22en-US%22%3EThreats%20%26gt%3B%20August%202019%20RDP%20update%20advisory%20%26gt%3B%20Hunting%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814322%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20%22August%202019%20RDP%20update%20advisory%22%20threat%20page%2C%20there%20is%20a%20hunting%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%2F%2F%20Find%20unusual%20processes%20with%20outbound%20connections%20to%20TCP%20port%203389%20%0ANetworkCommunicationEvents%20%0A%7C%20where%20RemotePort%20%3D%3D%203389%20%0A%7C%20where%20ActionType%20%3D%3D%20%22ConnectionSuccess%22%20and%20Protocol%20%3D%3D%20%22Tcp%22%0A%7C%20where%20InitiatingProcessFileName%20!in~%20%2F%2FRemove%20common%20RDP%20programs%0A(%22mstsc.exe%22%2C%22RTSApp.exe%22%2C%20%22RTS2App.exe%22%2C%22RDCMan.exe%22%2C%22ws_TunnelService.exe%22%2C%20%0A%22RSSensor.exe%22%2C%22RemoteDesktopManagerFree.exe%22%2C%22RemoteDesktopManager.exe%22%2C%20%0A%22RemoteDesktopManager64.exe%22%2C%22mRemoteNG.exe%22%2C%22mRemote.exe%22%2C%22Terminals.exe%22%2C%20%0A%22spiceworks-finder.exe%22%2C%22FSDiscovery.exe%22%2C%22FSAssessment.exe%22%2C%20%22chrome.exe%22%2C%20%0A%22microsodeedgecp.exe%22%2C%20%22LTSVC.exe%22%2C%20%22Hyper-RemoteDesktop.exe%22%2C%20%22%22%2C%20%0A%22RetinaEngine.exe%22%2C%20%22Microsoft.Tri.Sensor.exe%22%20)%20%0Aand%20InitiatingProcessFolderPath%20%20!has%20%22program%20files%22%20%0Aand%20InitiatingProcessFolderPath%20!has%20%22winsxs%22%20%0Aand%20InitiatingProcessFolderPath%20!contains%20%22windows%5C%5Csys%22%0A%7C%20where%20RemoteIP%20!in(%22127.0.0.1%22%2C%20%22%3A%3A1%22)%0A%7C%20summarize%20ComputerNames%20%3D%20make_set(ComputerName)%2C%20%0AListofMachines%20%3D%20make_set(MachineId)%2C%20%0Amake_set(EventTime)%2C%20%0AConnectionCount%20%3D%20dcount(RemoteIP)%20by%20InitiatingProcessFileName%2C%20%0AInitiatingProcessSHA1%2C%20bin(EventTime%2C%201d)%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20unable%20to%20create%20a%20detection%20rule%20based%20off%20this%20query%20alone%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CEM%3E%22Unable%20to%20save%20detection%20rule%3C%2FEM%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3E%3CEM%3EThe%20query%20does%20not%20return%20the%20following%20columns%20that%20are%20required%20to%20create%20a%20detection%20rule%3A%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CEM%3EMachineId%3C%2FEM%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20size%3D%223%22%3E%3CEM%3EReportId%20%22%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20hit%20me%20up%20with%20a%20modified%20query%20that%20you%20can%20create%20a%20detection%20rule%20on%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-814322%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-819892%22%20slang%3D%22en-US%22%3ERe%3A%20Threats%20%26gt%3B%20August%202019%20RDP%20update%20advisory%20%26gt%3B%20Hunting%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-819892%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F157614%22%20target%3D%22_blank%22%3E%40Maximilian%20Grandahl%20L%C3%A6rum%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EReplace%20the%20summarize%20row%20with%20instead%20(and%20remove%20the%20rest).%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20project%20EventTime%2CComputerName%2CMachineId%2CRemoteIP%2CInitiatingProcessFileName%2CInitiatingProcessCommandLine%2CInitiatingProcessSHA1%2CReportId%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CP%3EThe%20makeset%20function%20is%20grouping%20result%20and%20by%20changing%20you%20will%20get%20per%20machine%20instead.%3C%2FP%3E%3CP%3EAnother%20solution%20would%20be%20to%20append%20the%20last%20original%20line%20with%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%2CReportId%2C%20MachineId%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%3Ebut%20I%20would%20go%20for%20the%20first%20one%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHappy%20Hunting%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-862948%22%20slang%3D%22en-US%22%3ERe%3A%20Threats%20%26gt%3B%20August%202019%20RDP%20update%20advisory%20%26gt%3B%20Hunting%20Query%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-862948%22%20slang%3D%22en-US%22%3EThanks!%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi! 

In the "August 2019 RDP update advisory" threat page, there is a hunting query:

 

 

// Find unusual processes with outbound connections to TCP port 3389 
NetworkCommunicationEvents 
| where RemotePort == 3389 
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe", 
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe", 
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe", 
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe", 
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", 
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" ) 
and InitiatingProcessFolderPath  !has "program files" 
and InitiatingProcessFolderPath !has "winsxs" 
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("127.0.0.1", "::1")
| summarize ComputerNames = make_set(ComputerName), 
ListofMachines = make_set(MachineId), 
make_set(EventTime), 
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName, 
InitiatingProcessSHA1, bin(EventTime, 1d)

 

 

I am unable to create a detection rule based off this query alone:

 

"Unable to save detection rule
The query does not return the following columns that are required to create a detection rule:

MachineId
ReportId "

 

 

Can someone hit me up with a modified query that you can create a detection rule on?

2 Replies
Highlighted
Best Response confirmed by Maximilian Grandahl Lærum (Occasional Contributor)
Solution

Hi @Maximilian Grandahl Lærum ,

Replace the summarize row with instead (and remove the rest).

| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportId

The makeset function is grouping result and by changing you will get per machine instead.

Another solution would be to append the last original line with 

,ReportId, MachineId
but I would go for the first one
 
Happy Hunting

 

Highlighted