ADFS Database Named Pipe Connection By Uncommon Tool

Severity: medium
Author: Roberto Rodriguez @Cyb3rWard0g
Source: upstream

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1005` Data from Local System

Event coverage

Provider	Event ID	Title
Sysmon	17	PipeEvent (Pipe Created)
Sysmon	18	PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: `selection`

PipeName: '\MICROSOFT##WID\tsql\query'

Stage 2: `not 1 of filter_main_generic`

or:
Image|endswith: ':\Windows\SysWOW64\mmc.exe'
Image|endswith: ':\Windows\SysWOW64\wsmprovhost.exe'
Image|endswith: ':\Windows\System32\mmc.exe'
Image|endswith: ':\Windows\System32\wsmprovhost.exe'
Image|endswith: ':\Windows\WID\Binn\sqlwriter.exe'
Image|endswith: ':\Windows\system32\svchost.exe'
Image|endswith: '\AzureADConnect.exe'
Image|endswith: '\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
Image|endswith: '\Microsoft.IdentityServer.ServiceHost.exe'
Image|endswith: '\Microsoft.Tri.Sensor.exe'
Image|endswith: '\sqlservr.exe'
Image|endswith: '\tssdis.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`:\Windows\SysWOW64\mmc.exe` `:\Windows\SysWOW64\wsmprovhost.exe` `:\Windows\System32\mmc.exe` corpus 3 (sigma 3) `:\Windows\System32\wsmprovhost.exe` `:\Windows\WID\Binn\sqlwriter.exe` `:\Windows\system32\svchost.exe` `\AzureADConnect.exe` `\Microsoft.Identity.Health.Adfs.PshSurrogate.exe` `\Microsoft.IdentityServer.ServiceHost.exe` `\Microsoft.Tri.Sensor.exe` `\sqlservr.exe` `\tssdis.exe`
`PipeName`	eq	`\MICROSOFT##WID\tsql\query`