Multiple Unexpected Named Pipes On Multiple Devices
Query
// Related to https://github.com/ep3p/Sentinel_KQL/blob/main/Queries/Defender%20for%20Identity/IdentityLogonEvents-Unexpected%20access%20to%20multiple%20devices.kql
let query_frequency = 1h;
let query_period = 14d;
let device_threshold = 10;
let excluded_department_jobtitle = dynamic([]);
let excluded_accountnames = dynamic([]);
DeviceEvents
| where TimeGenerated > ago(query_period)
| where ActionType == "NamedPipeEvent"// and InitiatingProcessVersionInfoFileDescription == "NT Kernel & System"
| extend AdditionalFields = todynamic(AdditionalFields)
| where AdditionalFields["FileOperation"] == "File opened"
and AdditionalFields["NamedPipeEnd"] == "Client"
and AdditionalFields["RemoteClientsAccess"] == "AcceptRemote"
and AdditionalFields["ShareName"] == "IPC$"
| extend PipeName = tostring(AdditionalFields["PipeName"])
| summarize TimeGenerated = arg_min(TimeGenerated, *) by DeviceId, RemoteIP, AccountSid, PipeName
| where TimeGenerated > ago(query_frequency)
| extend BinTimeGenerated = bin(TimeGenerated, query_frequency)
| join hint.strategy=shuffle kind=leftouter (
DeviceLogonEvents
| where TimeGenerated > ago(query_frequency)
| where ActionType == "LogonSuccess" //and Protocol == "NTLM"
| summarize LogonProtocols = make_set(Protocol) by BinTimeGenerated = bin(TimeGenerated, query_frequency), DeviceId, RemoteIP, AccountSid
) on BinTimeGenerated, DeviceId, RemoteIP, AccountSid
// Related event
// | join hint.shufflekey=DeviceId kind=leftouter (
// DeviceNetworkEvents
// | where TimeGenerated > ago(query_frequency)
// | where ActionType in ("InboundConnectionAccepted") // Other related events might be "ConnectionAttempt", "NetworkSignatureInspected"
// | where LocalPort == "445" and Protocol == "Tcp" and InitiatingProcessVersionInfoFileDescription == "NT Kernel & System"
// | extend RemoteIP = iff(RemoteIPType == "FourToSixMapping", trim_start("::ffff:", RemoteIP), RemoteIP)
// ) on DeviceId, RemoteIP
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
TargetDevices = array_sort_asc(make_set(DeviceName, 100)),
LogonProtocols = array_sort_asc(make_set(LogonProtocols, 100)),
PipeNames = array_sort_asc(make_set(PipeName, 100)),
take_any(ActionType, ReportId)
by RemoteIP, AccountSid
| lookup kind=leftouter (
IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId, OnPremSid
| project OnPremSid, AccountName, AccountUpn, AccountDisplayName, Department, JobTitle
) on $left.AccountSid == $right.OnPremSid
| where not(
Department has_any (excluded_department_jobtitle)
or JobTitle has_any (excluded_department_jobtitle)
or AccountName in (excluded_accountnames)
)
| extend TargetDevicesCount = array_length(TargetDevices)
| where TargetDevicesCount > device_threshold
| project
StartTime,
EndTime,
RemoteIP,
AccountDisplayName,
AccountSid,
AccountName,
AccountUpn,
ActionType,
PipeNames,
LogonProtocols,
TargetDevicesCount,
TargetDevices,
Department,
JobTitleExplanation
This KQL query is designed to identify unusual access patterns to multiple devices within a network. Here's a simplified explanation of what the query does:
-
Time Frame and Thresholds: The query looks at events from the past 14 days (
query_period) and checks for activity that occurred in the last hour (query_frequency). It focuses on scenarios where a single account accesses more than 10 devices (device_threshold). -
Event Filtering:
- It starts by filtering
DeviceEventsto find "NamedPipeEvent" actions where a file operation was "File opened" via a named pipe, specifically targeting the "IPC$" share with remote client access. - It then summarizes these events by device, remote IP, account ID, and pipe name, focusing on the most recent event within the last hour.
- It starts by filtering
-
Logon Events:
- The query joins these events with
DeviceLogonEventsto find successful logons (LogonSuccess) from the same devices, IPs, and accounts within the same time frame.
- The query joins these events with
-
Identity Information:
- It enriches the data with identity information from
IdentityInfo, linking account SIDs to user details like account name, display name, department, and job title.
- It enriches the data with identity information from
-
Exclusions:
- It excludes any accounts or departments/job titles specified in the
excluded_accountnamesorexcluded_department_jobtitlelists.
- It excludes any accounts or departments/job titles specified in the
-
Summarization:
- The query summarizes the data to find the start and end times of the access, the devices accessed, the logon protocols used, and the named pipes involved.
- It calculates the number of target devices accessed and filters out any results where this count is not greater than the specified threshold.
-
Output:
- Finally, it projects a list of relevant details, including the time range, remote IP, account details, action type, pipe names, logon protocols, and the list of devices accessed.
In essence, this query is used to detect and report on potentially suspicious activity where an account unexpectedly accesses a large number of devices, which could indicate a security incident.
Details

Jose Sebastián Canós
Released: June 26, 2024
Tables
Keywords
Operators