This article is contributed. See the original author and article here.

After a customer has connected Microsoft Defender for Identity to Microsoft 365 Defender one of the benefits is the ability to query the Defender for Identity activities. In this blog we showcase two customer use cases that took advantage of the Advanced Hunting functionality available today.  


We continue to build functionality into Microsoft 365 Defender and we are encouraging identity focused customers to leverage its available activities in Advanced Hunting. This unified solution provides a platform to conduct advanced hunting, incident correlation and custom detections across the Microsoft 365 security stack. Building on these options, we wanted to supply two queries that have helped solve two customer use cases.  


Use Case #1: Enhanced reporting on usage of LDAP Simple Bind 

When LDAP Simple Bind is used, the username and password are sent across the network (wire) in cleartext. Imagine if this happens to a user who has elevated privileges in the domain.  

In this use case the customer had started a project to eliminate the use of LDAP Simple Bind. Anyone who might be sniffing the network traffic would see this information and could then start impersonating the user. 


One of the Identity Security Posture assessments part of Defender for Identity is “Entities exposing credentials in clear text”. This assessment shows the top devices that are sending user authentications via LDAP Simple Bind and which users are authenticating from these devices.  

For organizations with multiple domains and forests that are monitored by Defender for Identity the assessment shows data across all forests and domains.  








For customers that have multiple domains, Microsoft 365 Defender can assist in pinpointing where these accounts fall across their environment. We can create this report by leveraging Microsoft 365 Defender Advanced Hunting , which can be found here. 


Run the below Kusto Query Language (KQL) query that will return all LDAP logons where the logon types include passwords in clear text.  




let firstIndexof = (input:string, lookup: string) { 

    indexof(input, lookup, 0, -1) 



| where LogonType == "LDAP cleartext" and ActionType == "LogonSuccess" 

| extend DomainName = substring(DestinationDeviceName, firstIndexof(DestinationDeviceName, '.') + 1) 

| where DomainName == "" // replace with your domain name.  

| summarize NumberOfEntries=count()by LogonType, ActionType, AccountDisplayName, DomainName, AccountSid, IPAddress, DeviceName, DC = DestinationDeviceName 

| sort by AccountDisplayName  





You will see that we have summarized by the number of events and the results you receive will contain data such as users, domain and device, etc.  





As the customer, you could also add the following line to specify a domain within your environment  



 | where DomainName  == “domain name” 



By using a combination of both products, we have elevated our MDI experience and can continue to generate on demand reports for the last 30 days that will assist in improving your overall security posture.  


Use Case #2: What were the commands that were run in the Remote Code Execution alert


In our second query, we are focusing on using Advanced Hunting to join multiple tables from both Defender for Identity and Microsoft Defender for Endpoint that will better assist us in determining all important details from a single MDI alert.  


This alert will trigger when Defender for Identity detects PSexec, Remote WMI, and remote PowerShell connections to a monitored domain controller.  






As you can see from the graphic above, Defender for Identity provides critical details that we can use in our query including the timeframe of the suspected attempt, the device name and the user in question. We will take these critical details and join them to data available from Defender for Endpoint.  


After receiving the alert, the customer was looking for the WMI command that was run to determine if they would need to further investigate these activities.  


In the example above, we also have deployed Defender for Endpoint so local device activity is also available. Via an advanced hunting query we were able to extract the device (VictimPc) from the Defender for Identity alert and then query the endpoint data for the required information. This allows us to extract the commands that triggered the alert.  




let duration = totimespan(600m); //update this number of minutes in the future you want to check for WMIC and PSexec commands 


| where Timestamp > ago(7d)  

| where ServiceSource == "Microsoft Defender for Identity" 

| where Title == "Remote code execution attempt" 

| project AlertId, AlertTime = Timestamp, Title 

| join (AlertEvidence) on AlertId 

| where EvidenceDirection == "Source" and EntityType == "Machine" 

| project AlertId, AlertTime, DeviceId, DeviceName, UpdateTime = Timestamp, Title 

| join (DeviceProcessEvents 

| where FileName == "WMIC.exe" or FileName == "PsExec.exe" 

| project ProcessTime = Timestamp, ProcessCommandLine, FileName, FolderPath, DeviceName, DeviceId) on DeviceId 

| where ProcessTime - UpdateTime between (-2m .. duration) 

// | where ProcessTime >= AlertTime 

| project AlertId, AlertTime, ProcessTime, UpdateTime,Title, DeviceName, FolderPath, ProcessCommandLine, FileName 

| sort by ProcessTime desc 







In the above query, you can see the psexec and WMI commands that triggered the alert. Using this information, you can more easily determine if this is anomalous behavior for your environment.  

With the capabilities discussed above, you can see there is a lot of data available to query and assist customers in deep diving into their environment after receiving an alert. As our products and analytics grow, we will continue to find more ways to elevate the customer experience across the Microsoft 365 security stack. 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.