Update ADFS-DKM-MasterKey-Export.yaml

+ Improving description of SecurityEvent logic to know how to get the ADFS Policy Store DKM Group ad object

+ Improving LDAP search to filter on ADFS AD containers reducing the number of false positives

Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml

@@ -1,9 +1,37 @@
 id: 18e6a87e-9d06-4a4e-8b59-3469cd49552d
 name: ADFS DKM Master Key Export
 description: | 
-  'Identifies an export of the ADFS DKM Master Key from Active Directory.
-   References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, 
-   https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1'
+  Identifies an export of the ADFS DKM Master Key from Active Directory.
+  References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, 
+  https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1
+
+  # Obtain ADFS Policy Store DKM Group distinguished name from ADFS server:
+  Open PowerShell Console on ADFS Server and run the following PowerShell commands:
+  
+  # Get the database connection string
+  $ADFS = Get-WmiObject -Namespace root/ADFS -Class SecurityTokenService
+  $conn = $ADFS.ConfigurationDatabaseConnectionString
+  Write-Verbose "ConnectionString: $conn"
+
+  # Read the service settings from the database
+  $SQLclient = new-object System.Data.SqlClient.SqlConnection -ArgumentList $conn
+  $SQLclient.Open()
+  $SQLcmd = $SQLclient.CreateCommand()
+  $SQLcmd.CommandText = "SELECT ServiceSettingsData from IdentityServerPolicy.ServiceSettings"
+  $SQLreader = $SQLcmd.ExecuteReader()
+  $SQLreader.Read() | Out-Null
+  $settings=$SQLreader.GetTextReader(0).ReadToEnd()
+  $SQLreader.Dispose()
+
+  # Read the XML
+  [xml]$xml=$settings
+
+  # Get ADFS Policy Store DKM group distinguished name
+  $group=$xml.ServiceSettingsData.PolicyStore.DkmSettings.Group
+  $container=$xml.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
+  $parent=$xml.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
+  $base="CN=$group,$container,$parent"
+  $base
 severity: Medium 
 requiredDataConnectors: 
   - connectorId: SecurityEvents 
@@ -22,16 +50,17 @@ relevantTechniques:
   - T1005
 query:  |
   (union isfuzzy=true (SecurityEvent 
-  | where EventID == 4662 
+  | where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. 
   | where ObjectServer == 'DS'
   | where OperationType == 'Object Access'
-  //| where ObjectName contains '<GUID of ADFS DKM Container>' This is unique to the domain.
+  //| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.
   | where ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class
   | where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailPhoto
   | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),
   (DeviceEvents
   | where ActionType =~ "LdapSearch"
   | where AdditionalFields.AttributeList contains "thumbnailPhoto"
+  | where AdditionalFields.DistinguishedName contains "CN=ADFS,CN=Microsoft,CN=Program Data" // Filter results to show only hits related to the ADFS AD container
   | extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)
   )
 entityMappings: