Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). In order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected). If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]"
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Windows Security Events |
| ID | dcdf9bfc-c239-4764-a9f9-3612e6dff49c |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Collection |
| Techniques | T1005 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
Event |
EventID == "18"Source == "Microsoft-Windows-Sysmon" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊