microsoft
/
Microsoft-365-Defender-Hunting-Queries
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Create Account brute force.txt

This commit is contained in:
Tomer Alpert (MSFT) 2018-11-22 16:07:01 +02:00 коммит произвёл GitHub
Родитель 92243b13e6
Коммит 3948fd0504
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 34 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

34
Lateral Movement/Account brute force.txt Normal file
Просмотреть файл

@ -0,0 +1,34 @@
// Query #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
LogonEvents
| where isnotempty(RemoteIP)
and AccountName !endswith "$"
and RemoteIPType == "Public" // Remove this line if you want to include Private IPs - and uncomment the next line
//and RemoteIPType != "Loopback"
| extend Account=strcat(AccountDomain, "\\", AccountName)
| summarize
Successful=countif(ActionType == "LogonSuccess"),
Failed = countif(ActionType == "LogonFailed"),
FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"),
SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"),
FailedAccounts = makeset(iff(ActionType == "LogonFailed", Account, ""), 5),
SuccessfulAccounts = makeset(iff(ActionType == "LogonSuccess", Account, ""), 5)
by ComputerName, RemoteIP, RemoteIPType
| where Failed > 10 and Successful > 0 and FailedAccountsCount > 2 and SuccessfulAccountsCount == 1
// Query #2: Look for machines failing to log-on to multiple machines or using multiple accounts
// Note - RemoteComputerName is not available in all remote logon attempts
LogonEvents
| where isnotempty(RemoteComputerName)
| extend Account=strcat(AccountDomain, "\\", AccountName)
| summarize
Successful=countif(ActionType == "LogonSuccess"),
Failed = countif(ActionType == "LogonFailed"),
FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"),
SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"),
FailedComputerCount = dcountif(ComputerName, ActionType == "LogonFailed"),
SuccessfulComputerCount = dcountif(ComputerName, ActionType == "LogonSuccess")
by RemoteComputerName
| where
Successful > 0 and
((FailedComputerCount > 100 and FailedComputerCount > SuccessfulComputerCount) or
(FailedAccountsCount > 100 and FailedAccountsCount > SuccessfulAccountsCount))