Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Gain Code Execution on ADFS Server via Remote WMI Execution

Back
Id0bd65651-1404-438b-8f63-eecddcec87b4
RulenameGain Code Execution on ADFS Server via Remote WMI Execution
DescriptionThis query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.

In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.

If you do not have Sysmon data in your workspace this query will raise an error stating:

Failed to resolve scalar expression named “[@Name]"

For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.

The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.

- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml

- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
SeverityMedium
TacticsLateralMovement
TechniquesT1210
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
Version1.1.3
Arm template0bd65651-1404-438b-8f63-eecddcec87b4.json
Deploy To Azure
let timeframe = 1d;
// Adjust for a longer timeframe for identifying ADFS Servers
let lookback = 6d;
// Identify ADFS Servers
let ADFS_Servers = ( union isfuzzy=true
( Event
| where TimeGenerated > ago(timeframe+lookback)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend process = split(Image, '\\', -1)[-1]
| where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
( SecurityEvent
| where TimeGenerated > ago(timeframe+lookback)
| where EventID == 4688 and SubjectLogonId != "0x3e4"
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
(WindowsEvent
| where TimeGenerated > ago(timeframe+lookback)
| where EventID == 4688 and EventData has "0x3e4" and EventData has "Microsoft.IdentityServer.ServiceHost.exe"
| extend SubjectLogonId  = tostring(EventData.SubjectLogonId)
| where SubjectLogonId != "0x3e4"
| extend ProcessName  = tostring(EventData.ProcessName)
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
)
| distinct Computer);
(union isfuzzy=true
(
SecurityEvent
| where EventID == 4688
| where TimeGenerated > ago(timeframe)
| where Computer in~ (ADFS_Servers)
| where ParentProcessName has 'wmiprvse.exe'
// Looking for rundll32.exe is based on intel from the blog linked in the description
// This can be commented out or altered to filter out known internal uses
| where CommandLine has_any ('rundll32') 
| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
// Search for recent logons to identify lateral movement
| join kind= inner
(SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4624 and LogonType == 3
| where Account !endswith "$"
| project TargetLogonId
) on TargetLogonId
),
(
WindowsEvent
| where EventID == 4688
| where TimeGenerated > ago(timeframe)
| where Computer in~ (ADFS_Servers)
| where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') 
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has 'wmiprvse.exe'
// Looking for rundll32.exe is based on intel from the blog linked in the description
// This can be commented out or altered to filter out known internal uses
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_any ('rundll32') 
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetLogonId = tostring(EventData.TargetLogonId)
| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
// Search for recent logons to identify lateral movement
| join kind= inner
(WindowsEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4624 
| extend  LogonType = tostring(EventData.LogonType)
| where LogonType == 3
| extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| where Account !endswith "$"
| extend TargetLogonId = tostring(EventData.TargetLogonId)
| project TargetLogonId
) on TargetLogonId
),
(
Event
| where TimeGenerated > ago(timeframe)
| where Source == "Microsoft-Windows-Sysmon"
// Check for WMI Events
| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| project TimeGenerated, EventType, Image, Computer, UserName
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(UserName, "\\")[0]), AccountNTDomain = tostring(split(UserName, "\\")[1])
)
)
kind: Scheduled
relevantTechniques:
- T1210
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
description: |
  'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.
  In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.
  If you do not have Sysmon data in your workspace this query will raise an error stating:
       Failed to resolve scalar expression named "[@Name]"
  For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
  The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.
  - ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml
  - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'  
queryPeriod: 7d
queryFrequency: 1d
tactics:
- LateralMovement
name: Gain Code Execution on ADFS Server via Remote WMI Execution
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserName
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
version: 1.1.3
id: 0bd65651-1404-438b-8f63-eecddcec87b4
query: |
  let timeframe = 1d;
  // Adjust for a longer timeframe for identifying ADFS Servers
  let lookback = 6d;
  // Identify ADFS Servers
  let ADFS_Servers = ( union isfuzzy=true
  ( Event
  | where TimeGenerated > ago(timeframe+lookback)
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key=tostring(['@Name']), Value=['#text']
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | extend process = split(Image, '\\', -1)[-1]
  | where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  ),
  ( SecurityEvent
  | where TimeGenerated > ago(timeframe+lookback)
  | where EventID == 4688 and SubjectLogonId != "0x3e4"
  | where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  ),
  (WindowsEvent
  | where TimeGenerated > ago(timeframe+lookback)
  | where EventID == 4688 and EventData has "0x3e4" and EventData has "Microsoft.IdentityServer.ServiceHost.exe"
  | extend SubjectLogonId  = tostring(EventData.SubjectLogonId)
  | where SubjectLogonId != "0x3e4"
  | extend ProcessName  = tostring(EventData.ProcessName)
  | where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  )
  | distinct Computer);
  (union isfuzzy=true
  (
  SecurityEvent
  | where EventID == 4688
  | where TimeGenerated > ago(timeframe)
  | where Computer in~ (ADFS_Servers)
  | where ParentProcessName has 'wmiprvse.exe'
  // Looking for rundll32.exe is based on intel from the blog linked in the description
  // This can be commented out or altered to filter out known internal uses
  | where CommandLine has_any ('rundll32') 
  | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
  // Search for recent logons to identify lateral movement
  | join kind= inner
  (SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4624 and LogonType == 3
  | where Account !endswith "$"
  | project TargetLogonId
  ) on TargetLogonId
  ),
  (
  WindowsEvent
  | where EventID == 4688
  | where TimeGenerated > ago(timeframe)
  | where Computer in~ (ADFS_Servers)
  | where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') 
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has 'wmiprvse.exe'
  // Looking for rundll32.exe is based on intel from the blog linked in the description
  // This can be commented out or altered to filter out known internal uses
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has_any ('rundll32') 
  | extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | extend TargetLogonId = tostring(EventData.TargetLogonId)
  | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
  // Search for recent logons to identify lateral movement
  | join kind= inner
  (WindowsEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4624 
  | extend  LogonType = tostring(EventData.LogonType)
  | where LogonType == 3
  | extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | where Account !endswith "$"
  | extend TargetLogonId = tostring(EventData.TargetLogonId)
  | project TargetLogonId
  ) on TargetLogonId
  ),
  (
  Event
  | where TimeGenerated > ago(timeframe)
  | where Source == "Microsoft-Windows-Sysmon"
  // Check for WMI Events
  | where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key=tostring(['@Name']), Value=['#text']
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | project TimeGenerated, EventType, Image, Computer, UserName
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(UserName, "\\")[0]), AccountNTDomain = tostring(split(UserName, "\\")[1])
  )
  )  
triggerOperator: gt
tags:
- Solorigate
- NOBELIUM
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0bd65651-1404-438b-8f63-eecddcec87b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0bd65651-1404-438b-8f63-eecddcec87b4')]",
      "properties": {
        "alertRuleTemplateName": "0bd65651-1404-438b-8f63-eecddcec87b4",
        "customDetails": null,
        "description": "'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\n     Failed to resolve scalar expression named \"[@Name]\"\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'\n",
        "displayName": "Gain Code Execution on ADFS Server via Remote WMI Execution",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml",
        "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = ( union isfuzzy=true\n( Event\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n( SecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n(WindowsEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and EventData has \"0x3e4\" and EventData has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| extend SubjectLogonId  = tostring(EventData.SubjectLogonId)\n| where SubjectLogonId != \"0x3e4\"\n| extend ProcessName  = tostring(EventData.ProcessName)\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n| distinct Computer);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == 4688\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| where CommandLine has_any ('rundll32') \n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, \"\\\\\")[0]), AccountNTDomain = tostring(split(Account, \"\\\\\")[1])\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 and LogonType == 3\n| where Account !endswith \"$\"\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nWindowsEvent\n| where EventID == 4688\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') \n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| extend CommandLine = tostring(EventData.CommandLine)\n| where CommandLine has_any ('rundll32') \n| extend TargetAccount = strcat(EventData.TargetDomainName,\"\\\\\", EventData.TargetUserName)\n| extend Account = strcat(EventData.TargetDomainName,\"\\\\\", EventData.TargetUserName)\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, \"\\\\\")[0]), AccountNTDomain = tostring(split(Account, \"\\\\\")[1])\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(WindowsEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 \n| extend  LogonType = tostring(EventData.LogonType)\n| where LogonType == 3\n| extend Account = strcat(EventData.TargetDomainName,\"\\\\\", EventData.TargetUserName)\n| where Account !endswith \"$\"\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n// Check for WMI Events\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| project TimeGenerated, EventType, Image, Computer, UserName\n| extend timestamp = TimeGenerated\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(UserName, \"\\\\\")[0]), AccountNTDomain = tostring(split(UserName, \"\\\\\")[1])\n)\n)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ],
        "techniques": [
          "T1210"
        ],
        "templateVersion": "1.1.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}