AD FS Remote HTTP Network Connection

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to use this query you need to enable Sysmon telemetry on the AD FS Server. Reference: https://twitter.com/OTR_Community/status/1387038995016732672

Attribute Value
Type Analytic Rule
Solution Windows Security Events
ID d57c33a9-76b9-40e0-9dfa-ff0404546410
Severity Medium
Status Available
Kind Scheduled
Tactics Collection
Techniques T1005
Required Connectors SecurityEvents, WindowsSecurityEvents
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
Event EventID in "18,3"
Source == "Microsoft-Windows-Sysmon"		 ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules · Back to Windows Security Events