Ran the following Advanced Hunting KQL
_Im_NetworkSession(eventresult='Failure')
| take 100Was due to Labtech upgrades
SrcIpAddr
127.0.0.1?
SrcPortNumber
59615?
DstIpAddr
127.0.0.1?
DstPortNumber
42013?
SrcDvcId
7
SrcUsername
nt authority\system
NetworkProtocol
TCP?
EventOriginalResultDetails
ConnectionFailed
ASimMatchingIpAddr
–?
SrcDvcIdType
MDEid
SrcUsernameType
Windows
EventCount
1
7
EventSchema
NetworkSession
EventSchemaVersion
0.2.3
EventVendor
Microsoft
EventProduct
M365 Defender for Endpoint
EventType
NetworkSession
NetworkDirection
Outbound
Src
127.0.0.1
Dst
127.0.0.1
7
IpAddr
127.0.0.1
DvcId
SrcAppName
ltsvc.exe
Type
DeviceNetworkEvents?
SrcAppType
Process
DvcIdType
MDEid
DvcIpAddr
127.0.0.1?
User
nt authority\system
ASimMatchingHostname
–
SrcUserIdType
SID?
TenantId
InitiatingProcessAccountDomain
nt authority
InitiatingProcessAccountName
system
InitiatingProcessFolderPath
c:\windows\ltsvc\ltsvc.exe
InitiatingProcessId
19272
InitiatingProcessMD5
ParentProcessName
services.exe
InitiatingProcessParentId
1124
InitiatingProcessSHA1
??
InitiatingProcessSHA256
??
InitiatingProcessFileSize
1623832
InitiatingProcessVersionInfoCompanyName
LabTech Software
InitiatingProcessVersionInfoProductName
LabTech MSP?
InitiatingProcessVersionInfoProductVersion
3.0?
InitiatingProcessVersionInfoInternalFileName
LTSVC.exe?
InitiatingProcessVersionInfoOriginalFileName
LTSVC.exe?
InitiatingProcessVersionInfoFileDescription
LabTech Service?
InitiatingProcessSessionId
0?
IsInitiatingProcessRemoteSession
false?
InitiatingProcessUniqueId
ParentProcessId
Process
ltsvc.exe
SrcProcessCommandLine
LTSVC.exe -sLTService -nLabTech
SrcProcessName
ltsvc.exe
SrcProcessIntegrityLevel
System
SrcProcessTokenElevation
TokenElevationTypeDefault?
SrcProcessCreationTime
Loading...