In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.
Tag Archives: edr
Threat hunting with CrowdStrike – Valid Accounts
Techniques of interest: https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1021/ |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares Hypothesis: If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines. If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”