Query Details

Use Exposure Management To Identify Local Ntlm Hashes From Sensitive Users

Query

ExposureGraphEdges
    | where EdgeLabel has "has credentials of"
    | extend parsedData = parse_json(EdgeProperties)
    | extend NTLMHash = parsedData.rawData.ntlmHash.ntlmHash
    | where NTLMHash == "true"
    | project SourceNodeName, SourceNodeLabel, TargetNodeName
| join (IdentityInfo
    | where Tags has "Sensitive"
    | project AccountDisplayName
    )
on $left.TargetNodeName == $right.AccountDisplayName
| summarize by SourceNodeName, SourceNodeLabel, TargetNodeName, AccountDisplayName

About this query

Use Exposure Management to identify local NTLM hashes from Sensitive Users

Description

Using the Exposure Management from Defender XDR, the following query with help identify locally available NTLM hashes from users marked as Sensitive.

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.024/08/2024Initial publish

Explanation

Summary

This query is designed to identify NTLM hashes of sensitive users using Microsoft Defender XDR's Exposure Management. Here's a simplified breakdown:

  1. Data Source: The query starts by looking at ExposureGraphEdges, which contains information about relationships and credentials.
  2. Filter: It filters the data to find edges labeled with "has credentials of".
  3. Extract NTLM Hashes: It parses the edge properties to extract NTLM hash information.
  4. Check NTLM Hash Presence: It checks if the NTLM hash is present (indicated by "true").
  5. Project Relevant Fields: It selects relevant fields like source node name, source node label, and target node name.
  6. Join with Sensitive Users: It joins this data with IdentityInfo to find users tagged as "Sensitive".
  7. Summarize Results: Finally, it summarizes the results by source node name, source node label, target node name, and account display name.

Purpose

The goal is to identify local NTLM hashes associated with sensitive users, which could indicate potential credential access threats.

MITRE ATT&CK Mapping

  • Tactic: Credential Access
  • Technique ID: T1003 (OS Credential Dumping)

Versioning

  • Version 1.0: Initial publish on 24/08/2024

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 23, 2024

Tables

ExposureGraphEdgesIdentityInfo

Keywords

ExposureManagementUsersCredentialsIdentitySensitive

Operators

hasextendparse_jsonwhereprojectjoinonsummarize

MITRE Techniques

Actions

GitHub