DGOV-Bryce
commented
1 year ago As the Analytics rule states, to use the query, AD FS auditing needs to be on, so the first link covers that side. The second link (https://www.microsoft.com/en-us/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/), however, gives mitigations and guidance over the issue which can be added to the task steps (or at a minimum can be linked to), such as the KQL/Powershell to look for unsigned DLLs in the relevant locations.
carel-v98
Please review the following to determine if the automation steps are appropriate: