Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv). This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv). These set of keys can be used to impersonate existing Microsoft Entra ID joined devices. This detection requires an access control entry (ACE) on
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Windows Security Events |
| ID | a356c8bd-c81d-428b-aa36-83be706be034 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Discovery |
| Techniques | T1012 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
EventID in "4656,4663" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊