Query Details

Microsoft Defender for Identity - Attack Disruption

MDI Attack Disruption

Query

let AllDomainControllers =
        DeviceNetworkEvents
        | where TimeGenerated > ago(7d)
        | where LocalPort == 88
        | where LocalIPType == "FourToSixMapping"
        | extend DCDevicename = tostring(split(DeviceName,".")[0])
        | distinct DCDevicename;
IdentityDirectoryEvents
| where TimeGenerated > ago(190d)
| where ActionType == "Account disabled"
| extend ACTOR_DEVICE = tolower(tostring(AdditionalFields.["ACTOR.DEVICE"]))
| where isnotempty( ACTOR_DEVICE)
| where ACTOR_DEVICE in (AllDomainControllers)
| project TimeGenerated, TargetAccountDisplayName, ACTOR_DEVICE

About this query

Explanation

This KQL query is designed to identify and analyze Active Directory accounts that have been disabled by a domain controller, as part of attack disruption efforts using Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:

  1. Identify Domain Controllers:

    • The first part of the query identifies all domain controllers by filtering network events from the last 7 days where the local port is 88 (typically used for Kerberos authentication) and the IP type indicates a specific mapping. It extracts and lists the distinct domain controller device names.
  2. Find Disabled Accounts:

    • The second part of the query looks at identity directory events from the past 190 days to find instances where accounts were disabled. It checks if the action was performed by one of the identified domain controllers and lists the time, target account display name, and the actor device.
  3. Check Entra ID Audit Logs:

    • If the disabled account is synchronized with Entra ID (Azure AD), the query checks the Entra ID Audit logs for 'Disable account' or 'Update user' operations. It expands the target resources to get details about the actor and target user principal names, account enabled status, and action client name.
  4. Retrieve Remediation Actions:

    • The final part of the query retrieves remediation actions from Defender for Identity. It looks at cloud app events related to Microsoft Defender for Identity where remediation actions were added. It extracts details like the action type, result status, and the account SID, and joins this data with identity information to provide a comprehensive view of the actions taken.

Overall, this query helps security analysts monitor and investigate account disabling activities and remediation actions within their Active Directory environment, enhancing their ability to respond to potential security threats.

Details

Alex Verboon profile picture

Alex Verboon

Released: May 31, 2024

Tables

DeviceNetworkEventsIdentityDirectoryEventsAuditLogsIdentityInfoCloudAppEvents

Keywords

MicrosoftDefenderIdentityDomainControllerActiveDirectoryAccountsEntraIDAuditLogsCloudAppEvents

Operators

letwhereagoextendtostringsplitdistinctinprojectmv-expandparse_jsonmv-applysummarizearg_maxparse-kvjoinkind=leftouter

MITRE Techniques

Actions

GitHub