Query Details

Hunt for newly identified lateral movement paths to sensitive accounts

New Lateral Movement Path To Sensitive Account Identified

Query

IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
     Timestamp,
     LateralMovementPathToSensitiveAccount,
     FromAccount,
     DeviceName,
     AccountName,
     AccountDomain

About this query

Hunt for newly identified lateral movement paths to sensitive accounts

Query Information

Description

Defender For Identity identifies lateral movement paths to all sensitive accounts (if possible). This is similar to a Bloodhound output. A newly identified path can mean that a sensitive account can be taken over if the path is followed.

References

Defender XDR

Sentinel

IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| extend AdditionalInfo = parse_json(AdditionalFields)
| extend LateralMovementPathToSensitiveAccount = AdditionalFields.['ACTOR.ACCOUNT']
| extend FromAccount = AdditionalFields.['FROM.ACCOUNT']
| project
     TimeGenerated,
     LateralMovementPathToSensitiveAccount,
     FromAccount,
     DeviceName,
     AccountName,
     AccountDomain

Explanation

This query is designed to detect and highlight potential security risks related to lateral movement within a network, specifically targeting sensitive accounts. Here's a simplified breakdown:

  1. Purpose: The query aims to identify new paths that could potentially allow unauthorized access to sensitive accounts within an organization's network. This is crucial for preventing account takeovers.

  2. Data Source: It uses data from identity directory events, which track actions and changes related to user accounts and their interactions within the network.

  3. Key Action: The query filters events where a "Potential lateral movement path" has been identified. This indicates a possible route through which an attacker could move laterally across the network to reach a sensitive account.

  4. Details Extracted:

    • Timestamp/TimeGenerated: The time when the potential path was identified.
    • LateralMovementPathToSensitiveAccount: The sensitive account that could be compromised if the path is exploited.
    • FromAccount: The account from which the lateral movement could originate.
    • DeviceName: The device involved in the event.
    • AccountName and AccountDomain: Information about the account involved in the event.
  5. Tools: The query is structured for use in two different security platforms: Defender XDR and Sentinel. Both platforms use similar logic but have slight differences in field names (e.g., Timestamp vs. TimeGenerated).

Overall, this query helps security teams proactively identify and mitigate risks by understanding potential lateral movement paths to sensitive accounts, thereby enhancing the organization's security posture.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsActionTypeAdditionalInfoLateralMovementPathToSensitiveAccountFromDeviceNameDomainTimeGenerated

Operators

whereextendparse_jsonproject

Actions

GitHub