ADFS Database Named Pipe Connection By Uncommon Tool (1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3)
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| ADFS Database Named Pipe Connection By Uncommon Tool (1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3) | Sigma-Rules | Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) | Attack Pattern | 1 |