An adversary may use a compromised machine’s IP address to pivot and access other systems within the network. SOC teams should proactively hunt for this behavior to identify potential lateral movement and unauthorized access attempts in their Azure Sentinel environment.
KQL Query
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
//// Optional - add filters to make sure machine is part of the relevant network (and not using that IP address as part of another private network).
//// For example:
// and ConnectedNetworks contains "corp.contoso.com"
// and IPv4Dhcp == "10.164.3.12"
// and DefaultGateways contains "\"10.164.3.1\""
| project DeviceName, Timestamp, IPAddresses, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
id: 34a7334e-7bc0-4e3f-abc5-469ac7e29be7
name: Machine info from IP address
description: |
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users.
To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What-s-New/Advanced-hunting-now-includes-network-adapters-information/m-p/224402#M74.
Query #1: get machines that have used a given local IP address at a given time - as configured on their network adapters.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkInfo
query: |
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
//// Optional - add filters to make sure machine is part of the relevant network (and not using that IP address as part of another private network).
//// For example:
// and ConnectedNetworks contains "corp.contoso.com"
// and IPv4Dhcp == "10.164.3.12"
// and DefaultGateways contains "\"10.164.3.1\""
| project DeviceName, Timestamp, IPAddresses, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
Scenario: Scheduled system maintenance or updates using Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude IP addresses associated with the WSUS server or any IP ranges used for internal update distribution.
Scenario: PowerShell remoting or Windows Management Instrumentation (WMI) used by administrators to manage remote machines
Filter/Exclusion: Exclude IP addresses that are known to be used by admin workstations or domain controllers for remote management.
Scenario: Logon events from legitimate user accounts during normal business hours
Filter/Exclusion: Exclude IP addresses that are associated with known user workstations or are within the internal network range.
Scenario: Backup jobs running via Veeam Backup & Replication or Commvault that access machine information
Filter/Exclusion: Exclude IP addresses associated with backup servers or backup agents.
Scenario: System health agent or Windows Defender performing routine health checks and reporting machine info
Filter/Exclusion: Exclude IP addresses used by the Microsoft System Health Service or any internal monitoring tools.