ADFS Database Named Pipe Connection By Uncommon Tool

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Sigma rule (View on GitHub)

 1title: ADFS Database Named Pipe Connection By Uncommon Tool
 2id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
 3status: test
 4description: |
 5    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
 6    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.    
 7references:
 8    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
 9    - https://o365blog.com/post/adfs/
10    - https://github.com/Azure/SimuLand
11author: Roberto Rodriguez @Cyb3rWard0g
12date: 2021-10-08
13modified: 2023-11-30
14tags:
15    - attack.collection
16    - attack.t1005
17logsource:
18    product: windows
19    category: pipe_created
20    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22    selection:
23        PipeName: '\MICROSOFT##WID\tsql\query'
24    filter_main_generic:
25        Image|endswith:
26            - ':\Windows\System32\mmc.exe'
27            - ':\Windows\system32\svchost.exe'
28            - ':\Windows\System32\wsmprovhost.exe'
29            - ':\Windows\SysWOW64\mmc.exe'
30            - ':\Windows\SysWOW64\wsmprovhost.exe'
31            - ':\Windows\WID\Binn\sqlwriter.exe'
32            - '\AzureADConnect.exe'
33            - '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
34            - '\Microsoft.IdentityServer.ServiceHost.exe'
35            - '\Microsoft.Tri.Sensor.exe'
36            - '\sqlservr.exe'
37            - '\tssdis.exe'
38    condition: selection and not 1 of filter_main_*
39falsepositives:
40    - Unknown
41level: medium

References

Related rules

to-top