-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathadfs.json
More file actions
583 lines (583 loc) · 24.6 KB
/
Copy pathadfs.json
File metadata and controls
583 lines (583 loc) · 24.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
{
"dataset": {
"name": "EID Quick Reference - Active Directory Federation Services",
"version": "1.2.0",
"generatedAt": "2026-05-10T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/adfs.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 403,
"log": "ADFS",
"provider": "AD FS Auditing",
"channel": "Security",
"level": "Warning",
"title": "ADFS authentication request rejected",
"summary": "An authentication request to the ADFS federation service was rejected.",
"details": "Generated when an incoming authentication request is rejected at the ADFS server boundary. ADFS is a common external authentication target because it exposes authentication via the /adfs/ls and /adfs/oauth2/token endpoints — any internet-accessible ADFS deployment faces constant credential attack. High volumes from a single IP or against multiple accounts indicate a credential spray or brute-force attack.",
"category": "Federation Authentication",
"tags": [
"adfs",
"authentication",
"brute-force",
"credential-access",
"federated-identity"
],
"relatedEventIds": [
{
"id": 501,
"log": "ADFS"
},
{
"id": 510,
"log": "ADFS"
},
{
"id": 4625,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1110.003",
"techniqueName": "Brute Force: Password Spraying",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
},
{
"techniqueId": "T1078",
"techniqueName": "Valid Accounts",
"tactics": [
{
"tacticId": "TA0001",
"tacticName": "Initial Access"
}
]
}
],
"prerequisites": [
{
"type": "log-enablement",
"description": "ADFS auditing must be enabled. Enable via ADFS Management console: Service > Edit Federation Service Properties > Events tab, or via PowerShell.",
"command": "Set-AdfsProperties -AuditLevel Verbose"
}
],
"notesGuidance": {
"investigationPivots": [
"High volume of 403 events from a single IP in a short window (hundreds per minute) indicates automated credential attack against ADFS",
"403 events spread across many user accounts from a single IP with low per-account volume indicate password spraying — compare the UPN list against your user directory to confirm account validity",
"403 from a previously unseen geography or ASN targeting privileged accounts (admin UPNs) is high priority",
"Correlate with Extranet Lockout EID 501 — if smart lockout is triggering, the attack has reached the lockout threshold"
],
"commonFalsePositives": [
"Users mistyping passwords, especially after password changes",
"Applications with stale cached credentials (mobile apps, legacy clients) generating repeated auth failures",
"Misconfigured service accounts attempting to authenticate via ADFS"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging"
},
"volumeIndicator": "medium",
"windowsVersions": {
"minVersion": "Windows Server 2012 R2"
},
"keyFields": [
{
"name": "Client IP",
"xpath": "EventData/Data[@Name='clientIP']",
"description": "Source IP of the authentication request; primary pivot for credential attack investigation"
},
{
"name": "UPN",
"xpath": "EventData/Data[@Name='userPrincipalName']",
"description": "User identity being authenticated; cross-reference with user directory for account validity"
},
{
"name": "Reason",
"xpath": "EventData/Data[@Name='reason']",
"description": "Reason for rejection (e.g., bad credentials, account disabled, unknown user)"
}
],
"detectionRules": [
{
"platform": "Sigma",
"title": "ADFS Authentication Rejection — Possible Credential Spray",
"rule": "title: ADFS Authentication Rejection — Possible Credential Spray\nstatus: experimental\nlogsource:\n product: windows\n service: adfs\ndetection:\n selection:\n EventID: 403\n condition: selection\n timeframe: 5m\n aggregate: count() > 50 by clientIP\nfalsepositives:\n - Users with stale credentials on mobile devices\n - Misconfigured service accounts\nlevel: medium",
"notes": "Aggregate on clientIP to detect spray patterns. A single IP with 50+ rejections in 5 minutes against multiple UPNs is high confidence spray."
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 411,
"log": "ADFS",
"provider": "AD FS Auditing",
"channel": "Security",
"level": "Information",
"title": "Token request with additional authentication context",
"summary": "An OAuth 2.0 or OIDC token request included additional authentication context, such as MFA claims.",
"details": "Generated when ADFS processes an OAuth 2.0 authorization code or token request that includes additional authentication context claims (e.g., Multi-Factor Authentication completion, step-up auth). This event is useful for understanding which applications are receiving tokens with strong authentication claims versus those receiving tokens with only password-based authentication. A token request that should require MFA but only contains single-factor claims may indicate an MFA bypass via legacy authentication protocol abuse.",
"category": "Federation Authentication",
"tags": [
"adfs",
"oauth",
"oidc",
"mfa",
"token-issuance"
],
"relatedEventIds": [
{
"id": 510,
"log": "ADFS"
},
{
"id": 403,
"log": "ADFS"
}
],
"mitreAttack": [
{
"techniqueId": "T1556",
"techniqueName": "Modify Authentication Process",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
},
{
"tacticId": "TA0112",
"tacticName": "Defense Impairment"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Token requests to high-value relying parties (e.g., Microsoft Graph, Exchange Online) without MFA claims when MFA is required by policy indicate MFA bypass via legacy auth",
"Unexpected client IDs or relying party identifiers in the token request indicate an unauthorised application seeking tokens",
"Correlate client IP with 403 failures — a pattern of failures then a successful 411/510 pair indicates successful credential attack followed by token issuance"
],
"commonFalsePositives": [
"Legitimate OAuth flows for registered applications",
"Step-up authentication flows for conditional access policies"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging"
},
"volumeIndicator": "medium",
"windowsVersions": {
"minVersion": "Windows Server 2016"
},
"keyFields": [
{
"name": "Relying Party",
"xpath": "EventData/Data[@Name='relyingParty']",
"description": "Application receiving the token; unexpected RPs are anomalous"
},
{
"name": "Authentication Methods",
"xpath": "EventData/Data[@Name='authenticationMethods']",
"description": "Auth methods used (password, MFA); absence of MFA on MFA-required RPs indicates bypass"
},
{
"name": "Client ID",
"xpath": "EventData/Data[@Name='clientId']",
"description": "OAuth client application identifier"
},
{
"name": "UPN",
"xpath": "EventData/Data[@Name='userPrincipalName']",
"description": "User identity requesting the token"
}
],
"lastReviewed": "2026-05-10"
},
{
"id": 501,
"log": "ADFS",
"provider": "AD FS Auditing",
"channel": "Security",
"level": "Warning",
"title": "Extranet lockout triggered",
"summary": "An account has been locked out by the ADFS Extranet Smart Lockout mechanism due to excessive failed authentication attempts.",
"details": "Generated when the ADFS Extranet Smart Lockout (ESL) feature locks an account after it exceeds the configured failed authentication threshold from unfamiliar IP addresses. ESL distinguishes between 'familiar' locations (IPs the user has successfully authenticated from before) and 'unfamiliar' locations, locking extranet access from unfamiliar IPs while preserving corporate network access. EID 501 fires indicate an active or recently completed credential spray or brute-force attack against external ADFS access.",
"category": "Federation Authentication",
"tags": [
"adfs",
"account-lockout",
"brute-force",
"credential-access",
"smart-lockout"
],
"relatedEventIds": [
{
"id": 403,
"log": "ADFS"
},
{
"id": 510,
"log": "ADFS"
}
],
"mitreAttack": [
{
"techniqueId": "T1110.003",
"techniqueName": "Brute Force: Password Spraying",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Multiple accounts locked out in a short window from the same IP is the canonical credential spray indicator",
"Check if any accounts were successfully authenticated (EID 510) before lockout engaged — compromised accounts may have been accessed before the lockout threshold was reached",
"Accounts locked out from an 'unfamiliar' IP but with known UPNs indicate the attacker has a valid user list — investigate how the UPN list was obtained"
],
"commonFalsePositives": [
"Legitimate users travelling to unfamiliar locations (hotels, conference centres) triggering ESL from new IPs",
"VPN or proxy IP changes causing familiar location detection to fail",
"Misconfigured applications repeatedly failing authentication until lockout"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Server 2016"
},
"keyFields": [
{
"name": "UPN",
"xpath": "EventData/Data[@Name='userPrincipalName']",
"description": "Account that was locked out"
},
{
"name": "Client IP",
"xpath": "EventData/Data[@Name='clientIP']",
"description": "IP that triggered the lockout; cross-reference with 403 events to establish attack timeline"
},
{
"name": "LockoutThreshold",
"xpath": "EventData/Data[@Name='lockoutThreshold']",
"description": "Configured failed authentication threshold that was exceeded"
},
{
"name": "LockoutMode",
"xpath": "EventData/Data[@Name='lockoutMode']",
"description": "Whether lockout was soft (ESL audit mode) or hard (ESL enforcement mode)"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 510,
"log": "ADFS",
"provider": "AD FS Auditing",
"channel": "Security",
"level": "Information",
"title": "Token issued to relying party",
"summary": "ADFS successfully issued a SAML, OAuth, or WS-Federation token to a relying party application.",
"details": "Generated when ADFS successfully issues a security token (SAML assertion, OAuth access token, WS-Fed token) to a relying party (RP). This is the primary ADFS success audit event and the final step in the federation flow. Golden SAML attacks (forged SAML assertions using the stolen token signing private key) will not generate a normal 510 event because the token is forged externally and not processed by the ADFS server; the absence of a 510 for a SAML-based SSO event in the cloud target is therefore also an indicator.",
"category": "Federation Authentication",
"tags": [
"adfs",
"token-issuance",
"saml",
"oauth",
"authentication",
"golden-saml"
],
"relatedEventIds": [
{
"id": 403,
"log": "ADFS"
},
{
"id": 1007,
"log": "ADFS"
},
{
"id": 411,
"log": "ADFS"
}
],
"mitreAttack": [
{
"techniqueId": "T1606.002",
"techniqueName": "Forge Web Credentials: SAML Tokens",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
},
{
"techniqueId": "T1078",
"techniqueName": "Valid Accounts",
"tactics": [
{
"tacticId": "TA0001",
"tacticName": "Initial Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"510 following multiple 403 failures from the same IP/UPN confirms successful authentication after brute-force or spray",
"Token issued to an RP not normally accessed by the user (e.g., production cloud management console accessed from an account that normally only uses email) is anomalous",
"Off-hours token issuance for privileged accounts — particularly to Azure, Office 365 admin portals, or cloud management platforms — warrants investigation",
"Compare the client IP in the 510 against the user's normal access geography; unexpected countries are high priority"
],
"commonFalsePositives": [
"All successful federated logins generate this event — volume is high in active deployments",
"Automated service accounts performing OAuth flows for application access",
"Users accessing new cloud applications for the first time after onboarding"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Server 2012 R2"
},
"keyFields": [
{
"name": "Relying Party",
"xpath": "EventData/Data[@Name='relyingParty']",
"description": "Application receiving the token; unexpected RPs are the primary anomaly signal"
},
{
"name": "Client IP",
"xpath": "EventData/Data[@Name='clientIP']",
"description": "Source IP of the authentication request; geo-anomaly is a key pivot"
},
{
"name": "UPN",
"xpath": "EventData/Data[@Name='userPrincipalName']",
"description": "User receiving the token"
},
{
"name": "Authentication Method",
"xpath": "EventData/Data[@Name='authenticationMethod']",
"description": "Authentication method used for the token issuance"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 364,
"log": "ADFS",
"provider": "AD FS",
"channel": "AD FS/Admin",
"level": "Warning",
"title": "Certificate validation failure",
"summary": "ADFS failed to validate a certificate used for token signing, encryption, or service communication.",
"details": "Generated when ADFS encounters a certificate validation failure — this may relate to the token signing certificate, the token encryption certificate, the SSL/TLS certificate, or a relying party's certificate. Certificate validation failures on the token signing certificate may indicate an attacker has attempted to substitute the signing certificate as a precursor to Golden SAML, the ADFS server's certificate store has been tampered with, or the issuing CA's CRL or OCSP is unreachable.",
"category": "Certificate Management",
"tags": [
"adfs",
"certificate",
"golden-saml",
"integrity",
"pki"
],
"relatedEventIds": [
{
"id": 1007,
"log": "ADFS"
},
{
"id": 510,
"log": "ADFS"
}
],
"mitreAttack": [
{
"techniqueId": "T1606.002",
"techniqueName": "Forge Web Credentials: SAML Tokens",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Certificate validation failure on the token signing certificate is high priority — verify the certificate in ADFS Management matches the expected thumbprint",
"Correlate with EID 1007 — if the signing cert was recently changed AND validation failures are occurring, investigate whether the new cert was legitimate",
"CRL or OCSP unreachable errors may indicate the ADFS server's outbound internet access was blocked — either a network change or deliberate isolation"
],
"commonFalsePositives": [
"Certificate expiry on token signing or SSL certificates generates validation failures until renewed",
"CRL distribution point unreachable due to transient network issues or firewall changes",
"Relying party certificate configuration mismatches after RP updates"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Server 2012 R2"
},
"keyFields": [
{
"name": "Certificate Thumbprint",
"xpath": "EventData/Data[@Name='thumbprint']",
"description": "Thumbprint of the failing certificate; cross-reference against expected ADFS signing certificate thumbprint"
},
{
"name": "Validation Error",
"xpath": "EventData/Data[@Name='validationError']",
"description": "The validation error (chain build failure, revocation check failure, expiry)"
},
{
"name": "Context",
"xpath": "EventData/Data[@Name='context']",
"description": "Certificate context (signing, encryption, SSL)"
}
],
"lastReviewed": "2026-04-10"
},
{
"id": 1007,
"log": "ADFS",
"provider": "AD FS",
"channel": "AD FS/Admin",
"level": "Information",
"title": "Token signing certificate changed",
"summary": "The ADFS token signing certificate was updated or replaced.",
"details": "Generated when the ADFS token signing certificate is changed — either automatically (during planned auto-rollover) or manually. This is the highest-sensitivity ADFS event from a security perspective because the token signing private key is the 'crown jewel' of an ADFS deployment. Possession of the token signing private key enables Golden SAML attacks: the attacker can forge arbitrary SAML assertions for any user and any relying party, achieving persistent authentication to any SAML-federated application (including Azure AD / Microsoft 365 in hybrid deployments) even after password resets or account disables. ADFS auto-rolls certificates 20 days before expiry by default.",
"category": "Certificate Management",
"tags": [
"adfs",
"certificate",
"golden-saml",
"credential-access",
"high-severity"
],
"relatedEventIds": [
{
"id": 364,
"log": "ADFS"
},
{
"id": 510,
"log": "ADFS"
},
{
"id": 4648,
"log": "Security"
},
{
"id": 4688,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1606.002",
"techniqueName": "Forge Web Credentials: SAML Tokens",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
},
{
"techniqueId": "T1552.004",
"techniqueName": "Unsecured Credentials: Private Keys",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Any unexpected signing certificate change outside of known maintenance windows or auto-rollover schedule must be investigated immediately",
"Confirm the new certificate thumbprint matches what was authorised — if the thumbprint is unknown, treat as Golden SAML attack preparation",
"Correlate with Security EID 4648 on the ADFS server to identify which account made the change; an account other than the ADFS service account or an administrator performing scheduled maintenance is anomalous",
"After a suspected Golden SAML attack, rotate the token signing certificate immediately and revoke all existing tokens in cloud-federated services"
],
"commonFalsePositives": [
"Planned certificate renewal and auto-rollover (ADFS rotates 20 days before expiry by default)",
"Administrator-initiated certificate rotation during scheduled maintenance",
"ADFS farm upgrades or migrations that require certificate re-configuration"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Server 2012 R2"
},
"keyFields": [
{
"name": "New Thumbprint",
"xpath": "EventData/Data[@Name='newThumbprint']",
"description": "Thumbprint of the replacement signing certificate; must match authorised certificate inventory"
},
{
"name": "Old Thumbprint",
"xpath": "EventData/Data[@Name='oldThumbprint']",
"description": "Thumbprint of the certificate being replaced; confirms which key material was superseded"
}
],
"detectionRules": [
{
"platform": "KQL",
"title": "ADFS Token Signing Certificate Changed",
"rule": "Event\n| where Source == \"AD FS\"\n| where EventID == 1007\n| project TimeGenerated, Computer, RenderedDescription",
"notes": "Any occurrence of this event should be reviewed. Correlate with maintenance change records. Alert immediately if outside planned maintenance windows."
},
{
"platform": "Sigma",
"title": "ADFS Token Signing Certificate Replacement",
"rule": "title: ADFS Token Signing Certificate Replacement\nstatus: experimental\nlogsource:\n product: windows\n service: adfs\ndetection:\n selection:\n EventID: 1007\n condition: selection\nfalsepositives:\n - Planned certificate auto-rollover (ADFS default: 20 days before expiry)\n - Administrator-initiated certificate rotation during scheduled maintenance\nlevel: high",
"notes": "Alert level high due to Golden SAML risk. Correlate with change management records before closing."
}
],
"lastReviewed": "2026-04-10"
}
]
}