Aug 20 2019 11:44 PM
Hi!
In the "August 2019 RDP update advisory" threat page, there is a hunting query:
// Find unusual processes with outbound connections to TCP port 3389
NetworkCommunicationEvents
| where RemotePort == 3389
| where ActionType == "ConnectionSuccess" and Protocol == "Tcp"
| where InitiatingProcessFileName !in~ //Remove common RDP programs
("mstsc.exe","RTSApp.exe", "RTS2App.exe","RDCMan.exe","ws_TunnelService.exe",
"RSSensor.exe","RemoteDesktopManagerFree.exe","RemoteDesktopManager.exe",
"RemoteDesktopManager64.exe","mRemoteNG.exe","mRemote.exe","Terminals.exe",
"spiceworks-finder.exe","FSDiscovery.exe","FSAssessment.exe", "chrome.exe",
"microsodeedgecp.exe", "LTSVC.exe", "Hyper-RemoteDesktop.exe", "",
"RetinaEngine.exe", "Microsoft.Tri.Sensor.exe" )
and InitiatingProcessFolderPath !has "program files"
and InitiatingProcessFolderPath !has "winsxs"
and InitiatingProcessFolderPath !contains "windows\\sys"
| where RemoteIP !in("127.0.0.1", "::1")
| summarize ComputerNames = make_set(ComputerName),
ListofMachines = make_set(MachineId),
make_set(EventTime),
ConnectionCount = dcount(RemoteIP) by InitiatingProcessFileName,
InitiatingProcessSHA1, bin(EventTime, 1d)
I am unable to create a detection rule based off this query alone:
"Unable to save detection rule
The query does not return the following columns that are required to create a detection rule:
MachineId
ReportId "
Can someone hit me up with a modified query that you can create a detection rule on?
Aug 23 2019 05:34 AM
SolutionHi @Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
The makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with
Aug 23 2019 05:34 AM
SolutionHi @Maximilian Grandahl Lærum ,
Replace the summarize row with instead (and remove the rest).
The makeset function is grouping result and by changing you will get per machine instead.
Another solution would be to append the last original line with