latmov
firewall
host=9.2.3.5 (Source_Address=$addr_ip$ OR Destination_Address=$addr_ip$) EventCode=515*
| fields Source_Address, Source_Port, Destination_Address, Destination_Port,EventCode
| cluster showcount=t
| table cluster_count Source_Port, Source_Address, EventCode, Destination_Address, Destination_Port
logons
# logons count attempts
host=9.2.3.5 Source_Network_Address=* Logon_Type=3 (EventCode=4624 OR EventCode=4625) $addr_ip$
| fields Security_ID, Source_Network_Address, host, EventCode
| lookup reversedns ip as Source_Network_Address
| lookup wineventcode.csv code as EventCode OUTPUT description as Description
| stats count by Security_ID, Source_Network_Address, EventCode, host, Description
| table Security_ID, Source_Network_Address, host, EventCode, Description, count
| sort -count
| rename Source_Network_Address as "Adresse IP Source", count as "Nb événements", host as "Nom de l'hôte"
# timechart of logons on succes
host=9.2.3.5 Source_Network_Address=* Logon_Type=3 (EventCode=4624) $addr_ip$
| fields Security_ID, EventCode
| timechart count(EventCode) by Security_ID
# timechart of logons on fail
host=9.2.3.5 Source_Network_Address=* Logon_Type=3 (EventCode=4625) $addr_ip$
| fields Security_ID, EventCode
| timechart count(EventCode) by Security_ID
rdp-hijack
# https://www.ired.team/offensive-security/lateral-movement/t1075-rdp-hijacking-for-lateral-movement#observations
lpe
dll-hijack