Gain Code Execution on ADFS Server via Remote WMI Execution

Severity: medium
Time window: 7d
Author: Microsoft Security Research
Source: github.com/Azure/Azure-Sentinel

This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution. In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21. If you do not have Sysmon data in your workspace this query will raise an error stating: Failed to resolve scalar expression named "[@Name]" For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/. The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details. - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1210` Exploitation of Remote Services

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 19	WmiEvent (WmiEventFilter activity detected)
Sysmon	Event ID 20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	Event ID 21	WmiEvent (WmiEventConsumerToFilter activity detected)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4688	A new process has been created.

Rule body kusto

id: 0bd65651-1404-438b-8f63-eecddcec87b4
name: Gain Code Execution on ADFS Server via Remote WMI Execution
description: |
   'This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.
   In order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.
   If you do not have Sysmon data in your workspace this query will raise an error stating:
        Failed to resolve scalar expression named "[@Name]"
   For more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.
   The query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.
   - ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents 
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - LateralMovement
relevantTechniques:
  - T1210
tags:
  - Solorigate
  - NOBELIUM
query: |
  let timeframe = 1d;
  // Adjust for a longer timeframe for identifying ADFS Servers
  let lookback = 6d;
  // Identify ADFS Servers
  let ADFS_Servers = ( union isfuzzy=true
  ( Event
  | where TimeGenerated > ago(timeframe+lookback)
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 1
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key=tostring(['@Name']), Value=['#text']
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | extend process = split(Image, '\\', -1)[-1]
  | where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  ),
  ( SecurityEvent
  | where TimeGenerated > ago(timeframe+lookback)
  | where EventID == 4688 and SubjectLogonId != "0x3e4"
  | where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  ),
  (WindowsEvent
  | where TimeGenerated > ago(timeframe+lookback)
  | where EventID == 4688 and EventData has "0x3e4" and EventData has "Microsoft.IdentityServer.ServiceHost.exe"
  | extend SubjectLogonId  = tostring(EventData.SubjectLogonId)
  | where SubjectLogonId != "0x3e4"
  | extend ProcessName  = tostring(EventData.ProcessName)
  | where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
  | distinct Computer
  )
  | distinct Computer);
  (union isfuzzy=true
  (
  SecurityEvent
  | where EventID == 4688
  | where TimeGenerated > ago(timeframe)
  | where Computer in~ (ADFS_Servers)
  | where ParentProcessName has 'wmiprvse.exe'
  // Looking for rundll32.exe is based on intel from the blog linked in the description
  // This can be commented out or altered to filter out known internal uses
  | where CommandLine has_any ('rundll32') 
  | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
  // Search for recent logons to identify lateral movement
  | join kind= inner
  (SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4624 and LogonType == 3
  | where Account !endswith "$"
  | project TargetLogonId
  ) on TargetLogonId
  ),
  (
  WindowsEvent
  | where EventID == 4688
  | where TimeGenerated > ago(timeframe)
  | where Computer in~ (ADFS_Servers)
  | where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') 
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has 'wmiprvse.exe'
  // Looking for rundll32.exe is based on intel from the blog linked in the description
  // This can be commented out or altered to filter out known internal uses
  | extend CommandLine = tostring(EventData.CommandLine)
  | where CommandLine has_any ('rundll32') 
  | extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | extend TargetLogonId = tostring(EventData.TargetLogonId)
  | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
  // Search for recent logons to identify lateral movement
  | join kind= inner
  (WindowsEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4624 
  | extend  LogonType = tostring(EventData.LogonType)
  | where LogonType == 3
  | extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
  | where Account !endswith "$"
  | extend TargetLogonId = tostring(EventData.TargetLogonId)
  | project TargetLogonId
  ) on TargetLogonId
  ),
  (
  Event
  | where TimeGenerated > ago(timeframe)
  | where Source == "Microsoft-Windows-Sysmon"
  // Check for WMI Events
  | where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)
  | extend EventData = parse_xml(EventData).DataItem.EventData.Data
  | mv-expand bagexpansion=array EventData
  | evaluate bag_unpack(EventData)
  | extend Key=tostring(['@Name']), Value=['#text']
  | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
  | project TimeGenerated, EventType, Image, Computer, UserName
  | extend timestamp = TimeGenerated
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(UserName, "\\")[0]), AccountNTDomain = tostring(split(UserName, "\\")[1])
  )
  )
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserName
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
        columnName: HostNameDomain
version: 1.1.4
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Microsoft Security Research
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Stages and Predicates

Parameters

let timeframe = 1d;
let lookback = 6d;

Let binding: `ADFS_Servers`

let ADFS_Servers = ( union isfuzzy=true
( Event
| where TimeGenerated > ago(timeframe+lookback)
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| extend process = split(Image, '\\', -1)[-1]
| where process =~ "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
( SecurityEvent
| where TimeGenerated > ago(timeframe+lookback)
| where EventID == 4688 and SubjectLogonId != "0x3e4"
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
),
(WindowsEvent
| where TimeGenerated > ago(timeframe+lookback)
| where EventID == 4688 and EventData has "0x3e4" and EventData has "Microsoft.IdentityServer.ServiceHost.exe"
| extend SubjectLogonId  = tostring(EventData.SubjectLogonId)
| where SubjectLogonId != "0x3e4"
| extend ProcessName  = tostring(EventData.ProcessName)
| where ProcessName has "Microsoft.IdentityServer.ServiceHost.exe"
| distinct Computer
)
| distinct Computer);

Derived from timeframe, lookback.

union `isfuzzy=true` (3 sources)

Each leg below queries one source; the rule matches if any leg does. Sources: SecurityEvent, WindowsEvent, Event

Leg 1: `SecurityEvent`

SecurityEvent
| where EventID == 4688
| where TimeGenerated > ago(timeframe)
| where Computer in~ (ADFS_Servers)
| where ParentProcessName has 'wmiprvse.exe'
| where CommandLine has_any ('rundll32') 
| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
| join kind= inner
(SecurityEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4624 and LogonType == 3
| where Account !endswith "$"
| project TargetLogonId
) on TargetLogonId

Leg 2: `WindowsEvent`

WindowsEvent
| where EventID == 4688
| where TimeGenerated > ago(timeframe)
| where Computer in~ (ADFS_Servers)
| where EventData has 'wmiprvse.exe' and EventData has_any ('rundll32') 
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has 'wmiprvse.exe'
| extend CommandLine = tostring(EventData.CommandLine)
| where CommandLine has_any ('rundll32') 
| extend TargetAccount = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| extend TargetLogonId = tostring(EventData.TargetLogonId)
| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
| join kind= inner
(WindowsEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4624 
| extend  LogonType = tostring(EventData.LogonType)
| where LogonType == 3
| extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
| where Account !endswith "$"
| extend TargetLogonId = tostring(EventData.TargetLogonId)
| project TargetLogonId
) on TargetLogonId

Leg 3: `Event`

Event
| where TimeGenerated > ago(timeframe)
| where Source == "Microsoft-Windows-Sysmon"
| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)
| extend EventData = parse_xml(EventData).DataItem.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
| project TimeGenerated, EventType, Image, Computer, UserName
| extend timestamp = TimeGenerated
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(UserName, "\\")[0]), AccountNTDomain = tostring(split(UserName, "\\")[1])

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`Account`	ends_with	`$`
`Account`	ends_with	`$`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`rundll32` corpus 26 (sigma 23, chronicle 2, kusto 1)
`Computer`	in	`ADFS_Servers` corpus 5 (kusto 5)
`EventData`	match	`rundll32` `wmiprvse.exe` transforms: `term`
`EventID`	eq	`4624` transforms: `cased` corpus 25 (splunk 13, kusto 8, chronicle 4) `4688` transforms: `cased` corpus 313 (splunk 283, kusto 30)
`EventID`	in	`19` transforms: `cased` `20` transforms: `cased` `21` transforms: `cased` corpus 2 (elastic 1, splunk 1)
`LogonType`	eq	`3` transforms: `cased` corpus 40 (splunk 13, sigma 12, elastic 9, kusto 6)
`ParentProcessName`	match	`wmiprvse.exe` transforms: `term`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`Computer`	`project`
`EventType`	`project`
`Image`	`project`
`TimeGenerated`	`project`
`UserName`	`project`
`timestamp`	`extend`
`DomainIndex`	`extend`
`HostName`	`extend`
`HostNameDomain`	`extend`
`AccountNTDomain`	`extend`
`AccountName`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Gain Code Execution on ADFS Server via Remote WMI Execution

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: `ADFS_Servers`

union `isfuzzy=true` (3 sources)

Leg 1: `SecurityEvent`

Leg 2: `WindowsEvent`

Leg 3: `Event`

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

Gain Code Execution on ADFS Server via Remote WMI Execution

MITRE ATT&CK coverage

Event coverage

Rule body kusto

Stages and Predicates

Parameters

Let binding: ADFS_Servers

union isfuzzy=true (3 sources)

Leg 1: SecurityEvent

Leg 2: WindowsEvent

Leg 3: Event

Exclusions

Indicators

Output fields

Let binding: `ADFS_Servers`

union `isfuzzy=true` (3 sources)

Leg 1: `SecurityEvent`

Leg 2: `WindowsEvent`

Leg 3: `Event`