detection.wiki

Detection rules › Kusto Query Language

Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task

Source
upstream

'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.'

MITRE ATT&CK coverage

TacticTechniques
Lateral MovementT1210 Exploitation of Remote Services

Event coverage

ProviderEvent IDTitle
Security-Auditing4624An account was successfully logged on.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Security-Auditing4698A scheduled task was created.
Security-Auditing4699A scheduled task was deleted.
Security-Auditing4700A scheduled task was enabled.
Security-Auditing4701A scheduled task was disabled.
Security-Auditing4702A scheduled task was updated.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: source

SecurityEvent

Stage 2: where

 macro "(TimeGenerated > ago(timeframe))"

Stage 3: where

Computer eq "ADFS_Servers"

Stage 4: where

not
  Account ends_with "$"

Stage 5: where

EventID in ["4697", "4698", "4699", "4700", "4701", "4702"]

Stage 6: extend

Stage 7: extend

Stage 8: union

union of 1 branches

Stage 9: join

Stage 10: project

Stage 11: extend

Stage 12: extend

Stage 13: extend

Stage 14: extend

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1Accountends_with$

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Computerin
  • ADFS_Servers
EventIDin
  • 4697
  • 4698 corpus 2 (splunk 2)
  • 4699
  • 4700 corpus 2 (splunk 2)
  • 4701
  • 4702 corpus 2 (splunk 2)