Adversaries may leverage local SQL statements against the AD FS database to exfiltrate credentials or manipulate authentication configurations. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential theft or unauthorized access to critical authentication services.
KQL Query
Event
| where EventLog =~ 'Application'
| where Source == 'MSSQL$MICROSOFT##WID' and EventID == '33205'
| where RenderedDescription has_all ('database_name:AdfsConfigurationV4','schema_name:IdentityServerPolicy','object_name:ServiceSettings')
| extend action_id = extract("action_id:([\\S]+)", 1, RenderedDescription)
| extend session_server_principal_name = extract("session_server_principal_name:([\\S]+)", 1, RenderedDescription)
| extend server_principal_name = extract("session_server_principal_name:([\\S]+)", 1, RenderedDescription)
| extend HostCustomEntity = Computer, AccountCustomEntity = split(server_principal_name, '\\')[1]
id: 81fab62b-ef92-487a-9c35-a91a116309e6
name: AD FS Database Local SQL Statements
description: |
'This hunting query uses Application events from the "MSSQL$MICROSOFT##WID" provider to collect SQL statements run against an AD FS database (e.g Windows Internal Database (WID)).
A threat actor might want to extract the AD FS data configuration settings with a SQL statement or modify it with an UPDATE SQL statement.
In order to use this query you need to create a server audit and database audit specification on your AD FS database.
Reference: https://github.com/Azure/SimuLand/blob/main/3_simulate_detect/credential-access/exportADFSTokenSigningCertificate.md
Reference: https://o365blog.com/post/adfs/
'
severity: Medium
requiredDataConnectors: []
tactics:
- Collection
relevantTechniques:
- T1005
tags:
- SimuLand
query: |
Event
| where EventLog =~ 'Application'
| where Source == 'MSSQL$MICROSOFT##WID' and EventID == '33205'
| where RenderedDescription has_all ('database_name:AdfsConfigurationV4','schema_name:IdentityServerPolicy','object_name:ServiceSettings')
| extend action_id = extract("action_id:([\\S]+)", 1, RenderedDescription)
| extend session_server_principal_name = extract("session_server_principal_name:([\\S]+)", 1, RenderedDescription)
| extend server_principal_name = extract("session_server_principal_name:([\\S]+)", 1, RenderedDescription)
| extend HostCustomEntity = Computer, AccountCustomEntity = split(server_principal_name, '\\')[1]
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0Scenario: Database Backup Job Running
Description: A scheduled SQL backup job is executed using SQL Server Management Studio (SSMS) or via SQL Agent.
Filter/Exclusion: Exclude events where the SQL statement contains BACKUP DATABASE or RESTORE DATABASE keywords.
Example Filter: sql_text LIKE '%BACKUP DATABASE%' OR sql_text LIKE '%RESTORE DATABASE%'
Scenario: Admin Performing Database Maintenance
Description: An administrator is running maintenance tasks such as index rebuilds or reorganize using SQL Server Management Studio (SSMS).
Filter/Exclusion: Exclude events where the SQL statement includes ALTER INDEX or DBCC CHECKDB.
Example Filter: sql_text LIKE '%ALTER INDEX%' OR sql_text LIKE '%DBCC CHECKDB%'
Scenario: AD FS Configuration Change via PowerShell
Description: An admin is using PowerShell to modify AD FS configuration, which may result in SQL statements being executed against the AD FS database.
Filter/Exclusion: Exclude events where the source is a PowerShell script or process with a command line containing powershell.exe.
Example Filter: process_name = 'powershell.exe'
Scenario: Scheduled Job for Token Renewal
Description: A scheduled job in SQL Server Agent is running a stored procedure to renew tokens, which may trigger the rule.
Filter/Exclusion: Exclude events where the SQL statement is part of a known scheduled job (e.g., JobName = 'ADFS_Token_Renewal').
Example Filter: job_name = 'ADFS_Token_Renewal'
Scenario: User Querying AD FS Database for Reports
Description: A database administrator or analyst is querying the AD FS database using SQL Server Management Studio (SSMS)