Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ADFS DKM Master Key Export

Back
Id18e6a87e-9d06-4a4e-8b59-3469cd49552d
RulenameADFS DKM Master Key Export
DescriptionIdentifies an export of the ADFS DKM Master Key from Active Directory.

References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/,

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1

To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:

https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469

https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
SeverityMedium
TacticsCollection
TechniquesT1005
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
Version1.2.1
Arm template18e6a87e-9d06-4a4e-8b59-3469cd49552d.json
Deploy To Azure
(union isfuzzy=true 
(SecurityEvent 
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
| where ObjectServer == 'DS'
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
| extend timestamp = TimeGenerated, DeviceName = Computer
),
( WindowsEvent 
| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed') 
| extend ObjectServer = tostring(EventData.ObjectServer)
| where ObjectServer == 'DS'
| extend OperationType = tostring(EventData.OperationType)
| where OperationType == 'Object Access'
//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
| extend ObjectType = tostring(EventData.ObjectType)
| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
| extend Properties = tostring(EventData.Properties)
| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
| extend timestamp = TimeGenerated, DeviceName = Computer
),
(DeviceEvents
| where ActionType =~ "LdapSearch"
| where AdditionalFields.AttributeList contains "thumbnailPhoto"
| where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
)
)
| extend Account = strcat(AccountDomain, "\\", AccountName)
tags:
- Solorigate
- NOBELIUM
triggerThreshold: 0
relevantTechniques:
- T1005
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Microsoft Security Research
  source:
    kind: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml
requiredDataConnectors:
- dataTypes:
  - SecurityEvents
  connectorId: SecurityEvents
- dataTypes:
  - DeviceEvents
  connectorId: MicrosoftThreatProtection
- dataTypes:
  - SecurityEvents
  connectorId: WindowsSecurityEvents
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
queryPeriod: 1d
tactics:
- Collection
severity: Medium
triggerOperator: gt
description: |
  'Identifies an export of the ADFS DKM Master Key from Active Directory.
  References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, 
  https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1
  To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:
  https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469
  https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339
  '  
query: |
  (union isfuzzy=true 
  (SecurityEvent 
  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
  | where ObjectServer == 'DS'
  | where OperationType == 'Object Access'
  //| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
  | where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
  | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
  | extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName
  | extend timestamp = TimeGenerated, DeviceName = Computer
  ),
  ( WindowsEvent 
  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
  | where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed') 
  | extend ObjectServer = tostring(EventData.ObjectServer)
  | where ObjectServer == 'DS'
  | extend OperationType = tostring(EventData.OperationType)
  | where OperationType == 'Object Access'
  //| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
  | extend ObjectType = tostring(EventData.ObjectType)
  | where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
  | extend Properties = tostring(EventData.Properties)
  | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
  | extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)
  | extend timestamp = TimeGenerated, DeviceName = Computer
  ),
  (DeviceEvents
  | where ActionType =~ "LdapSearch"
  | where AdditionalFields.AttributeList contains "thumbnailPhoto"
  | where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
  | extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain
  )
  )
  | extend Account = strcat(AccountDomain, "\\", AccountName)  
name: ADFS DKM Master Key Export
version: 1.2.1
kind: Scheduled
id: 18e6a87e-9d06-4a4e-8b59-3469cd49552d
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: HostName
- entityType: AzureResource
  fieldMappings:
  - columnName: _ResourceId
    identifier: ResourceId
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/18e6a87e-9d06-4a4e-8b59-3469cd49552d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/18e6a87e-9d06-4a4e-8b59-3469cd49552d')]",
      "properties": {
        "alertRuleTemplateName": "18e6a87e-9d06-4a4e-8b59-3469cd49552d",
        "customDetails": null,
        "description": "'Identifies an export of the ADFS DKM Master Key from Active Directory.\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\n'\n",
        "displayName": "ADFS DKM Master Key Export",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml",
        "query": "(union isfuzzy=true \n(SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.\n| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class\n| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\n| extend AccountName = SubjectUserName, AccountDomain = SubjectDomainName\n| extend timestamp = TimeGenerated, DeviceName = Computer\n),\n( WindowsEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where EventData has_all('Object Access', '5cb41ed0-0e4c-11d0-a286-00aa003049e2','8d3bca50-1d7e-11d0-a081-00aa006c33ed') \n| extend ObjectServer = tostring(EventData.ObjectServer)\n| where ObjectServer == 'DS'\n| extend OperationType = tostring(EventData.OperationType)\n| where OperationType == 'Object Access'\n//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.\n| extend ObjectType = tostring(EventData.ObjectType)\n| where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class\n| extend Properties = tostring(EventData.Properties)\n| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\n| extend AccountName = tostring(EventData.SubjectUserName), AccountDomain = tostring(EventData.SubjectDomainName)\n| extend timestamp = TimeGenerated, DeviceName = Computer\n),\n(DeviceEvents\n| where ActionType =~ \"LdapSearch\"\n| where AdditionalFields.AttributeList contains \"thumbnailPhoto\"\n| where AdditionalFields.DistinguishedName contains \"CN=ADFS,CN=Microsoft,CN=Program Data\" // Filter results to show only hits related to the ADFS AD container\n| extend timestamp = TimeGenerated, AccountName = InitiatingProcessAccountName, AccountDomain = InitiatingProcessAccountDomain\n)\n)\n| extend Account = strcat(AccountDomain, \"\\\\\", AccountName)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "tags": [
          "Solorigate",
          "NOBELIUM"
        ],
        "techniques": [
          "T1005"
        ],
        "templateVersion": "1.2.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}