Certified Pre-Owned - TGTs requested with certificate authentication
| Id | b838a13c-052e-45b8-a5ac-7d3eb62efa11 |
| Rulename | Certified Pre-Owned - TGTs requested with certificate authentication |
| Description | This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs). |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1036 |
| Required data connectors | SecurityEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml |
| Version | 1.0.1 |
| Arm template | b838a13c-052e-45b8-a5ac-7d3eb62efa11.json |
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
where d["@Name"]=="CertIssuerName"
| project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1036
queryPeriod: 1h
name: Certified Pre-Owned - TGTs requested with certificate authentication
entityMappings:
- entityType: Account
fieldMappings:
- columnName: TargetAccount
identifier: FullName
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
tactics:
- DefenseEvasion
severity: Medium
version: 1.0.1
query: |
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
where d["@Name"]=="CertIssuerName"
| project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")
id: b838a13c-052e-45b8-a5ac-7d3eb62efa11