Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Gain Code Execution on ADFS Server via SMB Remote Service or Scheduled Task

Gain Code Execution on ADFS Server via SMB Remote Service or Scheduled Task

Back
Id12dcea64-bec2-41c9-9df2-9f28461b1295
RulenameGain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task
DescriptionThis query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.
SeverityMedium
TacticsLateralMovement
TechniquesT1210
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/GainCodeExecutionADFSViaSMB.yaml
Version1.2.1
Arm template12dcea64-bec2-41c9-9df2-9f28461b1295.json
Deploy To Azure
let timeframe = 1d;
// Adjust for a longer timeframe for identifying ADFS Servers
let lookback = 6d;
// Identify ADFS Servers
let ADFS_Servers = (
SecurityEvent
| where TimeGenerated > ago(timeframe+lookback)
| where EventID == 4688 and SubjectLogonId != "0x3e4"
| where NewProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
);
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where Computer in~ (ADFS_Servers)
| where Account !endswith "$"
// Check for scheduled task events
| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)
| extend EventDataParsed = parse_xml(EventData)
| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3]["#text"])
// Check specifically for access to IPC$ share and PIPE\svcctl and PIPE\atsvc for Service Control Services and Schedule Control Services
| union (
    SecurityEvent
    | where TimeGenerated > ago(timeframe)
    | where Computer in~ (ADFS_Servers)
    | where Account !endswith "$"
    | where EventID == 5145
    | where RelativeTargetName =~ "svcctl" or RelativeTargetName  =~ "atsvc"
)
// Check for lateral movement
| join kind=inner
(SecurityEvent
| where TimeGenerated > ago(timeframe)
| where Account !endswith "$"
| where EventID == 4624 and LogonType == 3
) on $left.SubjectLogonId == $right.TargetLogonId
| project TimeGenerated, Account, Computer, EventID, RelativeTargetName
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

triggerOperator: gt
queryFrequency: 1d
tags:
- Solorigate
- NOBELIUM
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
relevantTechniques:
- T1210
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
query: |
  let timeframe = 1d;
  // Adjust for a longer timeframe for identifying ADFS Servers
  let lookback = 6d;
  // Identify ADFS Servers
  let ADFS_Servers = (
  SecurityEvent
  | where TimeGenerated > ago(timeframe+lookback)
  | where EventID == 4688 and SubjectLogonId != "0x3e4"
  | where NewProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  );
  SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where Computer in~ (ADFS_Servers)
  | where Account !endswith "$"
  // Check for scheduled task events
  | where EventID in (4697, 4698, 4699, 4700, 4701, 4702)
  | extend EventDataParsed = parse_xml(EventData)
  | extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3]["#text"])
  // Check specifically for access to IPC$ share and PIPE\svcctl and PIPE\atsvc for Service Control Services and Schedule Control Services
  | union (
      SecurityEvent
      | where TimeGenerated > ago(timeframe)
      | where Computer in~ (ADFS_Servers)
      | where Account !endswith "$"
      | where EventID == 5145
      | where RelativeTargetName =~ "svcctl" or RelativeTargetName  =~ "atsvc"
  )
  // Check for lateral movement
  | join kind=inner
  (SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where Account !endswith "$"
  | where EventID == 4624 and LogonType == 3
  ) on $left.SubjectLogonId == $right.TargetLogonId
  | project TimeGenerated, Account, Computer, EventID, RelativeTargetName
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/GainCodeExecutionADFSViaSMB.yaml
queryPeriod: 7d
name: Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task
status: Available
kind: Scheduled
description: |
    'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.'
id: 12dcea64-bec2-41c9-9df2-9f28461b1295
version: 1.2.1
tactics:
- LateralMovement
severity: Medium