Adversaries may abuse the AD FS Abnormal EKU object identifier attribute to manipulate certificate trust relationships and escalate privileges within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft or lateral movement tactics leveraging compromised certificates.
KQL Query
// change the starttime value for a longer period of known OIDs
let starttime = 1d;
// change the lookback value for a longer period of lookback for suspicious/abnormal
let lookback = 1h;
let OIDList = SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventSourceName == 'AD FS Auditing'
| where EventID == 501
| where EventData has '/eku'
| extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
| mv-expand OIDs
| extend OID = tostring(OIDs)
| extend OID_Length = strlen(OID)
| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
;
OIDList
| where TimeGenerated >= ago(lookback)
| join kind=leftanti (
OIDList
| where TimeGenerated between (ago(starttime) .. ago(lookback))
| summarize by OID
) on OID
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
id: cfc1ae62-db63-4a3e-b88b-dc04030c2257
name: AD FS Abnormal EKU object identifier attribute
description: |
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious object identifiers (OIDs) as part EventID 501 and specifically part of the Enhanced Key Usage attributes.
This query checks to see if you have any new OIDs in the last hour that have not been seen in the previous day. New OIDs should be validated and OIDs that are very long, as indicated
by the OID_Length field, could also be an indicator of malicious activity.
In order to use this query you need to enable AD FS auditing on the AD FS Server.
References:
https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
https://docs.microsoft.com/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1552
tags:
- Nobelium
- MagicWeb
query: |
// change the starttime value for a longer period of known OIDs
let starttime = 1d;
// change the lookback value for a longer period of lookback for suspicious/abnormal
let lookback = 1h;
let OIDList = SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventSourceName == 'AD FS Auditing'
| where EventID == 501
| where EventData has '/eku'
| extend OIDs = extract_all(@"<Data>([\d+\.]+)</Data>", EventData)
| mv-expand OIDs
| extend OID = tostring(OIDs)
| extend OID_Length = strlen(OID)
| project TimeGenerated, Computer, EventSourceName, EventID, OID, OID_Length, EventData
;
OIDList
| where TimeGenerated >= ago(lookback)
| join kind=leftanti (
OIDList
| where TimeGenerated between (ago(starttime) .. ago(lookback))
| summarize by OID
) on OID
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others", "Identity" ]| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Job Updates AD FS Configuration
Description: A scheduled job runs to update AD FS configuration, which may temporarily modify the EKU attribute in the certificate.
Filter/Exclusion: Exclude events where the source is a known scheduled job (e.g., Task Scheduler or CertUtil), or filter by the Event ID associated with configuration changes.
Scenario: Certificate Renewal via PowerShell Script
Description: An admin uses PowerShell to renew or reissue a certificate for AD FS, which may trigger changes to the EKU attribute.
Filter/Exclusion: Exclude events where the source is a PowerShell script (e.g., powershell.exe) or where the user is a domain admin performing certificate management.
Scenario: AD FS Certificate Management via Microsoft Management Console (MMC)
Description: An admin uses the Microsoft Management Console (MMC) to manage AD FS certificates, which may involve modifying certificate attributes.
Filter/Exclusion: Exclude events where the source is the MMC console (mmc.exe) or where the user is a certificate administrator.
Scenario: Group Policy Object (GPO) Deployment
Description: A Group Policy Object (GPO) is updated to configure certificate settings for AD FS, which may cause changes to the EKU attribute.
Filter/Exclusion: Exclude events where the source is the Group Policy Client service (gpsvc.exe) or where the event is related to GPO processing.
Scenario: Certificate Enrollment via Web Enrollment Interface
Description: A user or admin enrolls for a certificate via the AD FS web enrollment interface, which may result in changes to the EKU attribute.
Filter/Exclusion: Exclude events where the source is the web enrollment interface (https://adfs.example.com/), or filter by the