From 9ef093fa171c48a1bea5e6d65d55de7ad231ccd8 Mon Sep 17 00:00:00 2001
From: tali-ash <63594865+tali-ash@users.noreply.github.com>
Date: Tue, 14 Jul 2020 10:52:03 +0300
Subject: [PATCH] Create ImpersonatedUserFootprint.md

---
 Lateral Movement/ImpersonatedUserFootprint.md | 57 +++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 Lateral Movement/ImpersonatedUserFootprint.md

diff --git a/Lateral Movement/ImpersonatedUserFootprint.md b/Lateral Movement/ImpersonatedUserFootprint.md
new file mode 100644
index 0000000..a2bee70
--- /dev/null
+++ b/Lateral Movement/ImpersonatedUserFootprint.md	
@@ -0,0 +1,57 @@
+
+# ImpersonatedUserFootprint
+
+Azure ATP raises alert on suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack. 
+Once attackers gain credentials for a user with higher privileges, they will use the stolen credentials to sign into other devices and move laterally.
+This query finds related sign-in events following overpass-the-hash attack to trace the footprint of the impersonated user.
+
+## Query
+
+```
+AlertInfo
+| where ServiceSource == "Azure ATP"
+| where Title == "Suspected overpass-the-hash attack (Kerberos)"
+| extend AlertTime = Timestamp 
+| join 
+    (
+        AlertEvidence 
+            | where EntityType == "User"
+    ) 
+    on AlertId 
+| distinct AlertTime,AccountSid 
+| join kind=leftouter  
+    (
+        DeviceLogonEvents
+        | where LogonType == "Network" and ActionType == "LogonSuccess"
+        | extend LogonTime = Timestamp 
+    )
+    on AccountSid 
+| where LogonTime between (AlertTime .. (AlertTime + 2h))
+| project DeviceId , AlertTime , AccountName , AccountSid 
+```
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement | V | https://attack.mitre.org/techniques/T1550/002/ | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+
+## Contributor info
+
+Microsoft threat protection team