Back
Idb838a13c-052e-45b8-a5ac-7d3eb62efa11
RulenameCertified Pre-Owned - TGTs requested with certificate authentication
DescriptionThis query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic%20Rules/CertifiedPreOwned-TGTs-requested.yaml
Version1.0.1
Arm templateb838a13c-052e-45b8-a5ac-7d3eb62efa11.json
Deploy To Azure
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
  where d["@Name"]=="CertIssuerName"
  | project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")
kind: Scheduled
tactics:
- DefenseEvasion
version: 1.0.1
query: |
  let timeframe=1h;
  SecurityEvent
  | where TimeGenerated >= ago(timeframe)
  | where EventID == 4768
  | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
  | mv-apply d=EventData.EventData.Data on
  (
    where d["@Name"]=="CertIssuerName"
    | project CIN=tostring(d["#text"])
  )
  | where not(isempty(CIN))
  // <DECISION - 1>
  // In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
  //| where not(CIN startswith "S-1-")
  // <DECISION - 2>
  // If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
  // The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
  // Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
  | parse CIN with "CN=" MachineName
  //| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
  //| where not(OperatingSystem startswith "Windows 10")
triggerOperator: gt
status: Available
queryFrequency: 1h
description: |
  This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
entityMappings:
- fieldMappings:
  - columnName: TargetAccount
    identifier: FullName
  entityType: Account
triggerThreshold: 0
relevantTechniques:
- T1036
name: Certified Pre-Owned - TGTs requested with certificate authentication
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic%20Rules/CertifiedPreOwned-TGTs-requested.yaml
id: b838a13c-052e-45b8-a5ac-7d3eb62efa11
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "properties": {
        "alertRuleTemplateName": "b838a13c-052e-45b8-a5ac-7d3eb62efa11",
        "customDetails": null,
        "description": "This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).\n",
        "displayName": "Certified Pre-Owned - TGTs requested with certificate authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic%20Rules/CertifiedPreOwned-TGTs-requested.yaml",
        "query": "let timeframe=1h;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4768\n| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)\n| mv-apply d=EventData.EventData.Data on\n(\n  where d[\"@Name\"]==\"CertIssuerName\"\n  | project CIN=tostring(d[\"#text\"])\n)\n| where not(isempty(CIN))\n// <DECISION - 1>\n// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.\n//| where not(CIN startswith \"S-1-\")\n// <DECISION - 2>\n// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.\n// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.\n// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.\n| parse CIN with \"CN=\" MachineName\n//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN\n//| where not(OperatingSystem startswith \"Windows 10\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1036"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}