0xffhh · October 6, 2020 08:01
diff --git a/LAPSPasswordQueried-improved.kql b/LAPSPasswordQueried-improved.kql
 let allLAPSAdminHashes = DeviceProcessEvents
 | where FileName =~ "admpwd.ui.exe"
 | summarize by SHA1
 | invoke FileProfile(SHA1, 100)
 | where IsRootSignerMicrosoft and IsCertificateValid
 | project SHA1;
 DeviceEvents
 | where ActionType == "LdapSearch"
 | where AdditionalFields has "ms-MCS-AdmPwd"
 | where InitiatingProcessSHA1 !in (allLAPSAdminHashes)
 | extend LDAP = parse_json(AdditionalFields)
 | extend AttributeList = LDAP.AttributeList
 | extend ScopeOfSearch = LDAP.ScopeOfSearch
 | extend SearchFilter = LDAP.SearchFilter
 | extend DistinguishName = LDAP.DistinguishedName
 //| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, AttributeList, ScopeOfSearch, SearchFilter, DistinguishName, DeviceId, ReportId
 | sort by Timestamp desc
	let allLAPSAdminHashes = DeviceProcessEvents
	\| where FileName =~ "admpwd.ui.exe"
	\| summarize by SHA1
	\| invoke FileProfile(SHA1, 100)
	\| where IsRootSignerMicrosoft and IsCertificateValid
	\| project SHA1;
	DeviceEvents
	\| where ActionType == "LdapSearch"
	\| where AdditionalFields has "ms-MCS-AdmPwd"
	\| where InitiatingProcessSHA1 !in (allLAPSAdminHashes)
	\| extend LDAP = parse_json(AdditionalFields)
	\| extend AttributeList = LDAP.AttributeList
	\| extend ScopeOfSearch = LDAP.ScopeOfSearch
	\| extend SearchFilter = LDAP.SearchFilter
	\| extend DistinguishName = LDAP.DistinguishedName
	//\| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, AttributeList, ScopeOfSearch, SearchFilter, DistinguishName, DeviceId, ReportId
	\| sort by Timestamp desc