Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Certified Pre-Owned - TGTs requested with certificate authentication

Back
Idb838a13c-052e-45b8-a5ac-7d3eb62efa11
RulenameCertified Pre-Owned - TGTs requested with certificate authentication
DescriptionThis query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
SeverityMedium
TacticsDefenseEvasion
TechniquesT1036
Required data connectorsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
Version1.0.0
Arm templateb838a13c-052e-45b8-a5ac-7d3eb62efa11.json
Deploy To Azure
let timeframe=1h;
SecurityEvent
| where TimeGenerated >= ago(timeframe)
| where EventID == 4768
| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
| mv-apply d=EventData.EventData.Data on
(
  where d["@Name"]=="CertIssuerName"
  | project CIN=tostring(d["#text"])
)
| where not(isempty(CIN))
// <DECISION - 1>
// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
//| where not(CIN startswith "S-1-")
// <DECISION - 2>
// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
| parse CIN with "CN=" MachineName
//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
//| where not(OperatingSystem startswith "Windows 10")
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1036
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
queryPeriod: 1h
tactics:
- DefenseEvasion
severity: Medium
triggerOperator: gt
description: |
    This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).
query: |
  let timeframe=1h;
  SecurityEvent
  | where TimeGenerated >= ago(timeframe)
  | where EventID == 4768
  | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)
  | mv-apply d=EventData.EventData.Data on
  (
    where d["@Name"]=="CertIssuerName"
    | project CIN=tostring(d["#text"])
  )
  | where not(isempty(CIN))
  // <DECISION - 1>
  // In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.
  //| where not(CIN startswith "S-1-")
  // <DECISION - 2>
  // If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.
  // The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.
  // Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.
  | parse CIN with "CN=" MachineName
  //| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN
  //| where not(OperatingSystem startswith "Windows 10")  
name: Certified Pre-Owned - TGTs requested with certificate authentication
version: 1.0.0
id: b838a13c-052e-45b8-a5ac-7d3eb62efa11
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TargetAccount
    identifier: FullName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b838a13c-052e-45b8-a5ac-7d3eb62efa11')]",
      "properties": {
        "alertRuleTemplateName": "b838a13c-052e-45b8-a5ac-7d3eb62efa11",
        "customDetails": null,
        "description": "This query identifies someone using machine certificates to request Kerberos Ticket Granting Tickets (TGTs).\n",
        "displayName": "Certified Pre-Owned - TGTs requested with certificate authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday/Analytic Rules/CertifiedPreOwned-TGTs-requested.yaml",
        "query": "let timeframe=1h;\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4768\n| project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData)\n| mv-apply d=EventData.EventData.Data on\n(\n  where d[\"@Name\"]==\"CertIssuerName\"\n  | project CIN=tostring(d[\"#text\"])\n)\n| where not(isempty(CIN))\n// <DECISION - 1>\n// In some environments, we see a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well.\n//| where not(CIN startswith \"S-1-\")\n// <DECISION - 2>\n// If you're seeing a significant number of machine accounts, it might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20.\n// The following line allows you to filter out all endpoints. This does introduce a blindspot, and you need a custom function which provides data about (on-prem) AD machines.\n// Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE.\n| parse CIN with \"CN=\" MachineName\n//| join kind=leftouter  MyCustomLookupFunction on $left.MachineName == $right.CN\n//| where not(OperatingSystem startswith \"Windows 10\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1036"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}