SMB Enumeration | Defender for Identity
This detection query will detect SMB Enumeration based on the Microsoft defender for Identity Module
IdentitydetectionT1135
FDR intermediatepor Kundan Kumar (cql-hub.com) 1 min read
Query
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
| event.action = "smb session"
| #event.outcome = "success"
| groupBy([user.name, source.address],function=[count(as=smb_sessions),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),collect(fields=Vendor.properties.AdditionalFields.DestinationComputerOperatingSystem),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_destinations >= 3
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 10
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_destinations], order=desc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.