← Back to Explore
crowdstrike_cqlTTP
Potential Lateral Movement through RDP
Detects when a user account initiates Remote Desktop Protocol (RDP) sessions across multiple systems within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate potential lateral movement by an attacker or unauthorized use of administrative access This query detects potential lateral movement activity by analyzing Kerberos/NTLM remote desktop logon events from Microsoft Defender for Identity. It groups authentication events by username and flags users who logged into more than one unique device within a 60-minute window.
Detection Query
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| network.protocol = "kerberos" or network.protocol = "ntlm"
| Vendor.properties.LogonType="Remote desktop"
| groupBy([user.name], function=[count(as=lateral_moves),count(field=Vendor.properties.TargetDeviceName, distinct=true, as=unique_devices),collect(fields=[Vendor.properties.DeviceName,Vendor.properties.TargetDeviceName,source.address]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_devices > 1 //Adjust the value as per enviorment
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 60 //Adjust the time as per enviorment
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_devices], order=desc)
Author
Kundan Kumar
Data Sources
Identity
Tags
Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Potential Lateral Movement through RDP
# MITRE ATT&CK technique IDs
mitre_ids:
- T1021.001
# Description of what the query does and its purpose.
description: |
Detects when a user account initiates Remote Desktop Protocol (RDP) sessions across multiple systems within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate potential lateral movement by an attacker or unauthorized use of administrative access
# The author or team that created the query.
author: Kundan Kumar
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Identity
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Identity
# Tags for filtering and categorization.
tags:
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| network.protocol = "kerberos" or network.protocol = "ntlm"
| Vendor.properties.LogonType="Remote desktop"
| groupBy([user.name], function=[count(as=lateral_moves),count(field=Vendor.properties.TargetDeviceName, distinct=true, as=unique_devices),collect(fields=[Vendor.properties.DeviceName,Vendor.properties.TargetDeviceName,source.address]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_devices > 1 //Adjust the value as per enviorment
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 60 //Adjust the time as per enviorment
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_devices], order=desc)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
This query detects potential lateral movement activity by analyzing Kerberos/NTLM remote desktop logon events from Microsoft Defender for Identity. It groups authentication events by username and flags users who logged into more than one unique device within a 60-minute window.