Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AD FS Abnormal EKU object identifier attribute

Back
Idcfc1ae62-db63-4a3e-b88b-dc04030c2257
RulenameAD FS Abnormal EKU object identifier attribute
DescriptionThis detection uses Security events from the “AD FS Auditing” provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.

This query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated

by the OID_Length field, could also be an indicator of malicious activity.

In order to use this query you need to enable AD FS auditing on the AD FS Server.

References:

https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
SeverityHigh
TacticsCredentialAccess
TechniquesT1552
Required data connectorsSecurityEvents
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml
Version1.0.4
Arm templatecfc1ae62-db63-4a3e-b88b-dc04030c2257.json
Deploy To Azure
// change the starttime value for a longer period of known OIDs
let starttime = 1d;
// change the lookback value for a longer period of lookback for suspicious/abnormal
let lookback = 1h;
let OIDList = SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventSourceName == 'AD FS Auditing'
| where EventID == 501
| where EventData has '/eku'
| extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
| mv-expand OIDs
| extend OID = tostring(OIDs)
| extend OID_Length = strlen(OID)
| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
;
OIDList
| where TimeGenerated >= ago(lookback)
| join kind=leftanti (
OIDList
| where TimeGenerated between (ago(starttime) .. ago(lookback))
| summarize by OID
) on OID
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
kind: Scheduled
relevantTechniques:
- T1552
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
description: |
  'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.
  This query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated
  by the OID_Length field, could also be an indicator of malicious activity.
  In order to use this query you need to enable AD FS auditing on the AD FS Server.
  References:
  https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
  https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
  '  
queryPeriod: 1d
queryFrequency: 1h
tactics:
- CredentialAccess
name: AD FS Abnormal EKU object identifier attribute
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml
version: 1.0.4
id: cfc1ae62-db63-4a3e-b88b-dc04030c2257
query: |
  // change the starttime value for a longer period of known OIDs
  let starttime = 1d;
  // change the lookback value for a longer period of lookback for suspicious/abnormal
  let lookback = 1h;
  let OIDList = SecurityEvent
  | where TimeGenerated >= ago(starttime)
  | where EventSourceName == 'AD FS Auditing'
  | where EventID == 501
  | where EventData has '/eku'
  | extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
  | mv-expand OIDs
  | extend OID = tostring(OIDs)
  | extend OID_Length = strlen(OID)
  | project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
  ;
  OIDList
  | where TimeGenerated >= ago(lookback)
  | join kind=leftanti (
  OIDList
  | where TimeGenerated between (ago(starttime) .. ago(lookback))
  | summarize by OID
  ) on OID
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
triggerOperator: gt
tags:
- Nobelium
- MagicWeb
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cfc1ae62-db63-4a3e-b88b-dc04030c2257')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cfc1ae62-db63-4a3e-b88b-dc04030c2257')]",
      "properties": {
        "alertRuleTemplateName": "cfc1ae62-db63-4a3e-b88b-dc04030c2257",
        "customDetails": null,
        "description": "'This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\nby the OID_Length field, could also be an indicator of malicious activity.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReferences:\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\n'\n",
        "displayName": "AD FS Abnormal EKU object identifier attribute",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml",
        "query": "// change the starttime value for a longer period of known OIDs\nlet starttime = 1d;\n// change the lookback value for a longer period of lookback for suspicious/abnormal\nlet lookback = 1h;\nlet OIDList = SecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventSourceName == 'AD FS Auditing'\n| where EventID == 501\n| where EventData has '/eku'\n| extend OIDs = extract_all(@\"<Data>([\\d+\\.]+)</Data>\", EventData)\n| mv-expand OIDs\n| extend OID = tostring(OIDs)\n| extend OID_Length = strlen(OID)\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\n;\nOIDList\n| where TimeGenerated >= ago(lookback)\n| join kind=leftanti (\nOIDList\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\n| summarize by OID\n) on OID\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "tags": [
          "Nobelium",
          "MagicWeb"
        ],
        "techniques": [
          "T1552"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}