Tanaka Zakku
51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
title: ADFS Database Named Pipe Connection
|
|
author: Roberto Rodriguez @Cyb3rWard0g
|
|
date: 2021/10/08
|
|
description: Detects suspicious local connections via a named pipe to the AD FS configuration
|
|
database (Windows Internal Database). Used to access information such as the AD
|
|
FS configuration settings which contains sensitive information used to sign SAML
|
|
tokens.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 17
|
|
SELECTION_10:
|
|
Image: '*sqlservr.exe'
|
|
SELECTION_2:
|
|
EventID: 18
|
|
SELECTION_3:
|
|
PipeName: \MICROSOFT##WID\tsql\query
|
|
SELECTION_4:
|
|
Image: '*Microsoft.IdentityServer.ServiceHost.exe'
|
|
SELECTION_5:
|
|
Image: '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
|
|
SELECTION_6:
|
|
Image: '*AzureADConnect.exe'
|
|
SELECTION_7:
|
|
Image: '*Microsoft.Tri.Sensor.exe'
|
|
SELECTION_8:
|
|
Image: '*wsmprovhost.exe'
|
|
SELECTION_9:
|
|
Image: '*mmc.exe'
|
|
condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and not ((SELECTION_4
|
|
or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9
|
|
or SELECTION_10)))
|
|
falsepositives:
|
|
- Processes in the filter condition
|
|
id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
|
|
level: critical
|
|
logsource:
|
|
category: pipe_created
|
|
product: windows
|
|
modified: 2021/11/07
|
|
references:
|
|
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
|
|
- https://o365blog.com/post/adfs/
|
|
- https://github.com/Azure/SimuLand
|
|
status: experimental
|
|
tags:
|
|
- attack.collection
|
|
- attack.t1005
|
|
yml_filename: sysmon_susp_adfs_namedpipe_connection.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/pipe_created
|
|
|