Threat hunting with Microsoft Defender – Valid Accounts

In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.

Threat hunting with CrowdStrike – Valid Accounts

Techniques of interest: |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares   Hypothesis:  If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines.   If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”