Windows LAPS Credential Dump via Entra ID

[BIitzkrieg]

Description of the Idea of the Rule

Analytic that detects when an account dumps the LAPS password via Entra ID.

Public References / Example Event Log

[Additional references and logs if possible to ease the process of creating the rule] https://twitter.com/NathanMcNulty/status/1785051227568632263

---

Detection Logic:

title: Windows LAPS Credential Dump via Entra ID
description: |
  This analytic detects when an account dumps the LAPS password via Entra ID.
author: andrewdanis
references:
  - https://twitter.com/NathanMcNulty/status/1785051227568632263
logsource:
  product: azure
  service: activitylogs
detection:
  condition: selection
  selection:
    Category: Device
    ActivityType: Recover device local administrator password
    AdditionalInfo: Successfully recovered local credential by device id
    Service: Device Registration Service
status: test
date: 2024/04/30
falsepositives:
  - Trusted activity performed by an Administrator.
level: high
tags:
  - 'T1098.005: Account Manipulation: Device Registration'

[github-actions[bot]]

Welcome @BIitzkrieg :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

[nasbench]

Thanks for the contribution. I modified the rule a bit to use correct fields. You can check it in #4888 Just note that i'm not cloud nor an entra expert. I used the linked tweet and did some extra research to make sure its as accurate as possible. If you or a future reader find an issue. Please don't hesitate to fix it.