Detection rules › Kusto Query Language
AD FS Remote HTTP Network Connection
'This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable Sysmon telemetry on the AD FS Server. Reference: https://twitter.com/OTR_Community/status/1387038995016732672 '
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Collection | T1005 Data from Local System |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
| Sysmon | 18 | PipeEvent (Pipe Connected) |
Stages and Predicates
Stage 1: source
Event
Stage 2: where
Source eq "Microsoft-Windows-Sysmon"
Stage 3: where
Computer eq "ADFS_Servers"
Stage 4: extend
Stage 5: extend
Stage 6: mv-expand
Stage 7: evaluate
Stage 8: extend
Stage 9: evaluate
Stage 10: extend
Stage 11: parse
Stage 12: where
EventID eq "3"
Stage 13: extend
Stage 14: where
DestinationPort eq "80"
Stage 15: extend
Stage 16: where
and
Initiated eq "false"
process eq "System"
Stage 17: where
not
DestinationIp in ["0:0:0:0:0:0:0:1", "::1"]
Stage 18: extend
Stage 19: project-reorder
Stage 20: extend
Stage 21: extend
Stage 22: extend
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | dest_ip | in | 0:0:0:0:0:0:0:1, ::1 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Computer | in |
|
DestinationPort | eq |
|
EventID | eq |
|
Initiated | eq |
|
Source | eq |
|
process | eq |
|