Created
September 10, 2020 23:46
-
-
Save seamustuohy/49fa8089206a5b4a7f763993ebc3f5bb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// STRONTIUM: Detecting new patterns in credential harvesting | |
// https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ | |
// Microsoft Threat Protection (MTP) Query | |
// Thanks Microsoft for not providing your own plain text version! I loved writing this from an image. | |
IdentityLogonEvents | |
| where Timestamp > ago(30d) | |
| where ActionType == "LogonFailed" | |
| where IPAddress startswith "185.220.101." or IPAddress startswith "199.249.230." or IPAddress startswith "23.129.64." or IPAddress startswith "109.70.100." or IPAddress startswith "185.220.102." | |
| summarize authAttempts=dcount(Timestamp), firstAttempt=min(Timestamp), lastAttempt=max(Timestamp),uniqueIPs=dcount(IPAddress), uniqueAccounts=dcount(AccountObjectId),attemptedAccounts=make_set(AccountObjectId) by DeviceType, OSPlatform | |
| sort by uniqueAccounts |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment