AD FS Abnormal EKU object identifier attribute
| Id | cfc1ae62-db63-4a3e-b88b-dc04030c2257 |
| Rulename | AD FS Abnormal EKU object identifier attribute |
| Description | This detection uses Security events from the “AD FS Auditing” provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes. This query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated by the OID_Length field, could also be an indicator of malicious activity. In order to use this query you need to enable AD FS auditing on the AD FS Server. References: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/ https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging |
| Severity | High |
| Tactics | CredentialAccess |
| Techniques | T1552 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml |
| Version | 1.0.2 |
| Arm template | cfc1ae62-db63-4a3e-b88b-dc04030c2257.json |
// change the starttime value for a longer period of known OIDs
let starttime = 1d;
// change the lookback value for a longer period of lookback for suspicious/abnormal
let lookback = 1h;
let OIDList = SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventSourceName == 'AD FS Auditing'
| where EventID == 501
| where EventData has '/eku'
| extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
| mv-expand OIDs
| extend OID = tostring(OIDs)
| extend OID_Length = strlen(OID)
| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
;
OIDList
| where TimeGenerated >= ago(lookback)
| join kind=leftanti (
OIDList
| where TimeGenerated between (ago(starttime) .. ago(lookback))
| summarize by OID
) on OID
kind: Scheduled
metadata:
support:
tier: Community
categories:
domains:
- Security - Others
- Identity
source:
kind: Community
author:
name: Ajeet Prakash
severity: High
tags:
- Nobelium
- MagicWeb
name: AD FS Abnormal EKU object identifier attribute
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
relevantTechniques:
- T1552
queryFrequency: 1h
triggerThreshold: 0
queryPeriod: 1d
description: |
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.
This query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated
by the OID_Length field, could also be an indicator of malicious activity.
In order to use this query you need to enable AD FS auditing on the AD FS Server.
References:
https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
'
id: cfc1ae62-db63-4a3e-b88b-dc04030c2257
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml
version: 1.0.2
tactics:
- CredentialAccess
query: |
// change the starttime value for a longer period of known OIDs
let starttime = 1d;
// change the lookback value for a longer period of lookback for suspicious/abnormal
let lookback = 1h;
let OIDList = SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventSourceName == 'AD FS Auditing'
| where EventID == 501
| where EventData has '/eku'
| extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
| mv-expand OIDs
| extend OID = tostring(OIDs)
| extend OID_Length = strlen(OID)
| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
;
OIDList
| where TimeGenerated >= ago(lookback)
| join kind=leftanti (
OIDList
| where TimeGenerated between (ago(starttime) .. ago(lookback))
| summarize by OID
) on OID
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cfc1ae62-db63-4a3e-b88b-dc04030c2257')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cfc1ae62-db63-4a3e-b88b-dc04030c2257')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "AD FS Abnormal EKU object identifier attribute",
"description": "'This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.\nThis query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated\nby the OID_Length field, could also be an indicator of malicious activity.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReferences:\nhttps://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/\nhttps://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging\n'\n",
"severity": "High",
"enabled": true,
"query": "// change the starttime value for a longer period of known OIDs\nlet starttime = 1d;\n// change the lookback value for a longer period of lookback for suspicious/abnormal\nlet lookback = 1h;\nlet OIDList = SecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventSourceName == 'AD FS Auditing'\n| where EventID == 501\n| where EventData has '/eku'\n| extend OIDs = extract_all(@\"<Data>([\\d+\\.]+)</Data>\", EventData)\n| mv-expand OIDs\n| extend OID = tostring(OIDs)\n| extend OID_Length = strlen(OID)\n| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData\n;\nOIDList\n| where TimeGenerated >= ago(lookback)\n| join kind=leftanti (\nOIDList\n| where TimeGenerated between (ago(starttime) .. ago(lookback))\n| summarize by OID\n) on OID\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1552"
],
"alertRuleTemplateName": "cfc1ae62-db63-4a3e-b88b-dc04030c2257",
"customDetails": null,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Computer"
}
]
}
],
"templateVersion": "1.0.2",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSAbnormalEnhancedKeyUsageAttribute-OID.yaml",
"tags": [
"Nobelium",
"MagicWeb"
]
}
}
]
}