Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Hunt For All Executed LDAP Queries From A Compromised Device

Wayne Andes 4 min read

Description

This KQL query will list all executed LDAP quieries from a compromised device.

Query

Microsoft Defender For Endpoint
Kusto
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     Timestamp,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

Microsoft Sentinel
Kusto
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
     TimeGenerated,
     QueryType,
     Query,
     Protocol,
     DeviceName,
     DestinationDeviceName,
     TargetAccountUpn

You May Also Like

List User Account Added To Administrators Group

Wayne Andes

Hunt For Suspicious SMB Sessions

Wayne Andes

List Sign-ins By UserAgent

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *