From 7f17eaeb87019370134b4ac3cdd6f8812a9c7c65 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 8 Oct 2021 01:57:22 -0400 Subject: [PATCH] added rule to detect suspicious named pipe connections to an AD FS server --- .../sysmon_susp_adfs_namedpipe_connection.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml new file mode 100644 index 000000000..f1bc4e86d --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -0,0 +1,33 @@ +title: ADFS Database Named Pipe Connection +id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 +description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. +status: experimental +date: 2021/10/08 +modified: 2021/10/08 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml + - https://o365blog.com/post/adfs/ + - https://github.com/Azure/SimuLand +tags: + - attack.collection + - attack.t1005 +logsource: + product: windows + service: pipe_connected +detection: + selection: + PipeName: '\MICROSOFT##WID\tsql\query' + filter: + Image|endswith: + - 'Microsoft.IdentityServer.ServiceHost.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'AzureADConnect.exe' + - 'Microsoft.Tri.Sensor.exe' + - 'wsmprovhost.exe' + - 'mmc.exe' + - 'sqlservr.exe' + condition: selection and not filter +falsepositives: + - Processes in the filter condition +level: critical \ No newline at end of file