Windows LAPS Credential Dump via Entra ID
BIitzkrieg opened this issue · 2 comments
Description of the Idea of the Rule
Analytic that detects when an account dumps the LAPS password via Entra ID.
Public References / Example Event Log
[Additional references and logs if possible to ease the process of creating the rule]
https://twitter.com/NathanMcNulty/status/1785051227568632263
Detection Logic:
title: Windows LAPS Credential Dump via Entra ID
description: |
This analytic detects when an account dumps the LAPS password via Entra ID.
author: andrewdanis
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
logsource:
product: azure
service: activitylogs
detection:
condition: selection
selection:
Category: Device
ActivityType: Recover device local administrator password
AdditionalInfo: Successfully recovered local credential by device id
Service: Device Registration Service
status: test
date: 2024/04/30
falsepositives:
- Trusted activity performed by an Administrator.
level: high
tags:
- 'T1098.005: Account Manipulation: Device Registration'
Welcome @BIitzkrieg 👋
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃
Thanks for the contribution. I modified the rule a bit to use correct fields. You can check it in #4888
Just note that i'm not cloud nor an entra expert. I used the linked tweet and did some extra research to make sure its as accurate as possible. If you or a future reader find an issue. Please don't hesitate to fix it.