Silverfort - Certifried Incident

Back


Id	9ae540c9-c926-4100-8f07-1eac22596292
Rulename	Silverfort - Certifried Incident
Description	An Active Directory domain privilege escalation vulnerability that enables a privileged user to access the Domain Controller by abusing Active Directory Certificate Service
Severity	High
Tactics	PrivilegeEscalation
Techniques	T1068
Required data connectors	SilverfortAma
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/Certifried.yaml
Version	1.0.0
Arm template	9ae540c9-c926-4100-8f07-1eac22596292.json

KQL

CommonSecurityLog 
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "Certifried"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/Certifried.yaml
name: Silverfort - Certifried Incident
requiredDataConnectors:
- connectorId: SilverfortAma
  dataTypes:
  - CommonSecurityLog
severity: High
query: |-
  CommonSecurityLog 
  | where DeviceVendor has 'Silverfort'
  | where DeviceProduct has 'Admin Console'
  | where DeviceEventClassID == "NewIncident"
  | where Message has "Certifried"
  | extend UserName = parse_json(replace('^""|""$', '', Message))['userName']  
kind: Scheduled
queryFrequency: 15m
tactics:
- PrivilegeEscalation
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserName
    identifier: Name
version: 1.0.0
relevantTechniques:
- T1068
triggerThreshold: 0
triggerOperator: gt
description: |
    'An Active Directory domain privilege escalation vulnerability that enables a privileged user to access the Domain Controller by abusing Active Directory Certificate Service'
id: 9ae540c9-c926-4100-8f07-1eac22596292
queryPeriod: 15m

ARM