Threats > August 2019 RDP update advisory > Hunting Query

Brass Contributor


In the "August 2019 RDP update advisory" threat page, there is a hunting query:



// Find unusual processes with outbound connections to TCP port 3389 
| where RemotePort == 3389 
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe", 
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe", 
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "", 
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" ) 
and InitiatingProcessFolderPath  !has "program files" 
and InitiatingProcessFolderPath !has "winsxs" 
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("", "::1")
| summarize ComputerNames = make_set(ComputerName), 
ListofMachines = make_set(MachineId), 
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName, 
InitiatingProcessSHA1, bin(EventTime, 1d)



I am unable to create a detection rule based off this query alone:


"Unable to save detection rule
The query does not return the following columns that are required to create a detection rule:

ReportId "



Can someone hit me up with a modified query that you can create a detection rule on?

2 Replies
best response confirmed by Maximilian Grandahl Lærum (Brass Contributor)

Hi @Maximilian Grandahl Lærum ,

Replace the summarize row with instead (and remove the rest).

| project EventTime,ComputerName,MachineId,RemoteIP,InitiatingProcessFileName,InitiatingProcessCommandLine,InitiatingProcessSHA1,ReportId

The makeset function is grouping result and by changing you will get per machine instead.

Another solution would be to append the last original line with 

,ReportId, MachineId
but I would go for the first one
Happy Hunting