ADFS Database Named Pipe Connection By Uncommon Tool

 1title: ADFS Database Named Pipe Connection By Uncommon Tool
 2id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
 3status: test
 4description: |
 5    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
 6    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.    
 7references:
 8    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
 9    - https://o365blog.com/post/adfs/
10    - https://github.com/Azure/SimuLand
11author: Roberto Rodriguez @Cyb3rWard0g
12date: 2021/10/08
13modified: 2023/11/30
14tags:
15    - attack.collection
16    - attack.t1005
17logsource:
18    product: windows
19    category: pipe_created
20    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
21detection:
22    selection:
23        PipeName: '\MICROSOFT##WID\tsql\query'
24    filter_main_generic:
25        Image|endswith:
26            - ':\Windows\System32\mmc.exe'
27            - ':\Windows\system32\svchost.exe'
28            - ':\Windows\System32\wsmprovhost.exe'
29            - ':\Windows\SysWOW64\mmc.exe'
30            - ':\Windows\SysWOW64\wsmprovhost.exe'
31            - ':\Windows\WID\Binn\sqlwriter.exe'
32            - '\AzureADConnect.exe'
33            - '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
34            - '\Microsoft.IdentityServer.ServiceHost.exe'
35            - '\Microsoft.Tri.Sensor.exe'
36            - '\sqlservr.exe'
37            - '\tssdis.exe'
38    condition: selection and not 1 of filter_main_*
39falsepositives:
40    - Unknown
41level: medium

References

• Azure-Sentinel/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml at f99542b94afe0ad2f19a82cc08262e7ac8e1428e · Azure/Azure-Sentinel

  

  Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel

  
  Read More

• Exporting AD FS certificates revisited: Tactics, Techniques and Procedures

  

  I’ve talked about AD FS issues for a couple years now, and finally, after the Solorigate/Sunburst, the world is finally listening 😉 In this blog, I’ll explain the currently known TTPs to exploit AD FS certificates, and introduce a totally new technique to export the configuration data remotely.

  
  Read More

• GitHub - Azure/SimuLand: Understand adversary tradecraft and improve detection strategies

  

  Understand adversary tradecraft and improve detection strategies - Azure/SimuLand

  
  Read More

Related rules

• SQLite Chromium Profile Data DB Access
• SQLite Firefox Profile Data DB Access
• Potential Conti Ransomware Database Dumping Activity Via SQLCmd
• AWS EC2 VM Export Failure
• VeeamBackup Database Credentials Dump Via Sqlcmd.EXE