Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe

Detect suspicious named pipe connections to an AD FS WID

rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml

@@ -0,0 +1,33 @@
+title: ADFS Database Named Pipe Connection
+id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
+description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
+status: experimental
+date: 2021/10/08
+modified: 2021/10/08
+author: Roberto Rodriguez @Cyb3rWard0g
+references:
+    - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
+    - https://o365blog.com/post/adfs/
+    - https://github.com/Azure/SimuLand
+tags:
+    - attack.collection
+    - attack.t1005
+logsource:
+    product: windows
+    service: pipe_connected
+detection:
+    selection:
+        PipeName: '\MICROSOFT##WID\tsql\query'
+    filter:
+        Image|endswith:
+            - 'Microsoft.IdentityServer.ServiceHost.exe'
+            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
+            - 'AzureADConnect.exe'
+            - 'Microsoft.Tri.Sensor.exe'
+            - 'wsmprovhost.exe'
+            - 'mmc.exe'
+            - 'sqlservr.exe'
+    condition: selection and not filter
+falsepositives:
+    - Processes in the filter condition
+level: critical