Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ADFS DKM Master Key Export

ADFS DKM Master Key Export

Back
Id18e6a87e-9d06-4a4e-8b59-3469cd49552d
RulenameADFS DKM Master Key Export
DescriptionIdentifies an export of the ADFS DKM Master Key from Active Directory.

References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,

https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor

To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:

https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469

https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
SeverityMedium
TacticsCollection
TechniquesT1005
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
Version1.2.2
Arm template18e6a87e-9d06-4a4e-8b59-3469cd49552d.json
Deploy To Azure
(union isfuzzy=true 
(SecurityEvent 
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent 
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed') 
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
requiredDataConnectors:
- dataTypes:
  - SecurityEvents
  connectorId: SecurityEvents
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
tags:
- Solorigate
- NOBELIUM
name: ADFS DKM Master Key Export
relevantTechniques:
- T1005
query: |
  (union isfuzzy=true 
  (SecurityEvent 
  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
  | where ObjectServer == 'DS'
  | where OperationType == 'Object Access'
  //| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
  | where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
  | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
  | extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
  | extend timestamp = TimeGenerated, DeviceName = Computer
  ),
  ( WindowsEvent 
  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
  | where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed') 
  | extend ObjectServer = tostring(EventData.ObjectServer)
  | where ObjectServer == 'DS'
  | extend OperationType = tostring(EventData.OperationType)
  | where OperationType == 'Object Access'
  //| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
  | extend ObjectType = tostring(EventData.ObjectType)
  | where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
  | extend Properties = tostring(EventData.Properties)
  | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
  | extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
  | extend timestamp = TimeGenerated, DeviceName = Computer
  ),
  (DeviceEvents
  | where ActionType =~ "LdapSearch"
  | where AdditionalFields.AttributeList contains "thumbnailPhoto"
  | where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
  | extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
  )
  )
  | extend Account = strcat(AccountDomain, "\\", AccountName)  
version: 1.2.2
queryPeriod: 1d
kind: Scheduled
id: 18e6a87e-9d06-4a4e-8b59-3469cd49552d
description: |
  'Identifies an export of the ADFS DKM Master Key from Active Directory.
  References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, 
  https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
  To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
  https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469
  https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
  '  
queryFrequency: 1d
severity: Medium
triggerOperator: gt
tactics:
- Collection
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
  author:
    name: Microsoft Security Research