Detection rules › Kusto Query Language
ADFS Database Named Pipe Connection
'This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1005 Data from Local System |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: source
Event
Stage 2: where
Source eq "Microsoft-Windows-Sysmon"
Stage 3: where
EventID eq "18"
Stage 4: where
Computer eq "ADFS_Servers"
Stage 5: extend
Stage 6: extend
Stage 7: mv-expand
Stage 8: evaluate
Stage 9: extend
Stage 10: evaluate
Stage 11: extend
Stage 12: parse
Stage 13: where
PipeName eq "\\\\MICROSOFT##WID\\\\tsql\\\\query"
Stage 14: extend
Stage 15: where
not
process in ["AzureADConnect.exe", "Microsoft.Identity.Health.Adfs.PshSurrogate.exe", "Microsoft.IdentityServer.ServiceHost.exe", "Microsoft.Tri.Sensor.exe", "mmc.exe", "sqlservr.exe", "wsmprovhost.exe"]
Stage 16: extend
Stage 17: project-reorder
Stage 18: extend
Stage 19: extend
Stage 20: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | CommandLine | in | AzureADConnect.exe, Microsoft.Identity.Health.Adfs.PshSurrogate.exe, Microsoft.IdentityServer.ServiceHost.exe, Microsoft.Tri.Sensor.exe, mmc.exe, sqlservr.exe, wsmprovhost.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Computer | in |
|
EventID | eq |
|
PipeName | eq |
|
Source | eq |
|