Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Certified Pre-Owned - TGTs requested with certificate authentication

Back
Idb838a13c-052e-45b8-a5ac-7d3eb62efa11
RulenameCertified Pre-Owned - TGTs requested with certificate authentication
DescriptionThis query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
Version1.0.1
Arm templateb838a13c-052e-45b8-a5ac-7d3eb62efa11.json
Deploy To Azure
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
  where d["@Name"]=="CertIssuerName"
  | project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")
name: Certified Pre-Owned - TGTs requested with certificate authentication
version: 1.0.1
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1036
status: Available
description: |
    This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  entityType: Account
tactics:
- DefenseEvasion
queryPeriod: 1h
query: |
  let timeframe=1h;
  SecurityEvent
  | where TimeGenerated >= ago(timeframe)
  | where EventID == 4768
  | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
  | mv-apply d=EventData.EventData.Data on
  (
    where d["@Name"]=="CertIssuerName"
    | project CIN=tostring(d["#text"])
  )
  | where not(isempty(CIN))
  // <DECISION - 1>
  // In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
  //| where not(CIN startswith "S-1-")
  // <DECISION - 2>
  // If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
  // The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
  // Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
  | parse CIN with "CN=" MachineName
  //| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
  //| where not(OperatingSystem startswith "Windows 10")  
kind: Scheduled
triggerThreshold: 0
id: b838a13c-052e-45b8-a5ac-7d3eb62efa11
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "properties": {
        "alertRuleTemplateName": "b838a13c-052e-45b8-a5ac-7d3eb62efa11",
        "customDetails": null,
        "description": "This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).\n",
        "displayName": "Certified Pre-Owned - TGTs requested with certificate authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml",
        "query": "let timeframe=1h;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4768\n| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)\n| mv-apply d=EventData.EventData.Data on\n(\n  where d[\"@Name\"]==\"CertIssuerName\"\n  | project CIN=tostring(d[\"#text\"])\n)\n| where not(isempty(CIN))\n// <DECISION - 1>\n// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.\n//| where not(CIN startswith \"S-1-\")\n// <DECISION - 2>\n// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.\n// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.\n// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.\n| parse CIN with \"CN=\" MachineName\n//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN\n//| where not(OperatingSystem startswith \"Windows 10\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1036"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}