Volver al hub

Lateral Movement Detection

This query identifies potential lateral movement activities by detecting remote connections and credential usage patterns across multiple hosts.

NetworkdetectionT1021.001T1021.002T1135
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#event_simpleName=NetworkConnect 
| (RemotePort=445 OR RemotePort=3389 OR RemotePort=5985)
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"])
| join({#event_simpleName=ProcessRollup2}, field=[aid, RawProcessId], include=[ImageFileName, CommandLine])
| join({#event_simpleName=UserIdentity}, field=AuthenticationID, include=[UserName])
| table([aid, UserName, ImageFileName, RemoteAddressIP4, RemotePort, CommandLine])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.