Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Certified Pre-Owned - TGTs requested with certificate authentication

Certified Pre-Owned - TGTs requested with certificate authentication

Back
Idb838a13c-052e-45b8-a5ac-7d3eb62efa11
RulenameCertified Pre-Owned - TGTs requested with certificate authentication
DescriptionThis query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
Version1.0.1
Arm templateb838a13c-052e-45b8-a5ac-7d3eb62efa11.json
Deploy To Azure
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
  where d["@Name"]=="CertIssuerName"
  | project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")

relevantTechniques:
- T1036
name: Certified Pre-Owned - TGTs requested with certificate authentication
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  entityType: Account
triggerThreshold: 0
id: b838a13c-052e-45b8-a5ac-7d3eb62efa11
tactics:
- DefenseEvasion
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
query: |
  let timeframe=1h;
  SecurityEvent
  | where TimeGenerated >= ago(timeframe)
  | where EventID == 4768
  | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
  | mv-apply d=EventData.EventData.Data on
  (
    where d["@Name"]=="CertIssuerName"
    | project CIN=tostring(d["#text"])
  )
  | where not(isempty(CIN))
  // <DECISION - 1>
  // In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
  //| where not(CIN startswith "S-1-")
  // <DECISION - 2>
  // If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
  // The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
  // Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
  | parse CIN with "CN=" MachineName
  //| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
  //| where not(OperatingSystem startswith "Windows 10")  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "properties": {
        "alertRuleTemplateName": "b838a13c-052e-45b8-a5ac-7d3eb62efa11",
        "customDetails": null,
        "description": "This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).\n",
        "displayName": "Certified Pre-Owned - TGTs requested with certificate authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml",
        "query": "let timeframe=1h;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4768\n| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)\n| mv-apply d=EventData.EventData.Data on\n(\n  where d[\"@Name\"]==\"CertIssuerName\"\n  | project CIN=tostring(d[\"#text\"])\n)\n| where not(isempty(CIN))\n// <DECISION - 1>\n// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.\n//| where not(CIN startswith \"S-1-\")\n// <DECISION - 2>\n// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.\n// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.\n// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.\n| parse CIN with \"CN=\" MachineName\n//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN\n//| where not(OperatingSystem startswith \"Windows 10\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1036"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}