-
Notifications
You must be signed in to change notification settings - Fork 516
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
* [New Rule] Potential Relay Attack against a Domain Controller * Update credential_access_dollar_account_relay.toml * Move to the correct folder (cherry picked from commit dfdc214)
- Loading branch information
1 parent
0d106e5
commit 8d1dbef
Showing
1 changed file
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| [metadata] | ||
| creation_date = "2024/07/24" | ||
| integration = ["system", "windows"] | ||
| maturity = "production" | ||
| updated_date = "2024/07/24" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the | ||
| domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC | ||
| hash after capturing it using forced authentication. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-system.security-*", "logs-windows.forwarded*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Potential Relay Attack against a Domain Controller" | ||
| references = [ | ||
| "https://github.com/p0dalirius/windows-coerced-authentication-methods", | ||
| "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", | ||
| "https://attack.mitre.org/techniques/T1187/", | ||
| ] | ||
| risk_score = 21 | ||
| rule_id = "263481c8-1e9b-492e-912d-d1760707f810" | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Windows", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Credential Access", | ||
| "Data Source: Elastic Defend", | ||
| "Data Source: Active Directory", | ||
| "Use Case: Active Directory Monitoring", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and | ||
| winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and | ||
| /* Filter for a machine account that matches the hostname */ | ||
| startswith~(host.name, substring(user.name, 0, -1)) and | ||
| /* Verify if the Source IP belongs to the host */ | ||
| not endswith(string(source.ip), string(host.ip)) and | ||
| source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1187" | ||
| name = "Forced Authentication" | ||
| reference = "https://attack.mitre.org/techniques/T1187/" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1557" | ||
| name = "Adversary-in-the-Middle" | ||
| reference = "https://attack.mitre.org/techniques/T1557/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1557.001" | ||
| name = "LLMNR/NBT-NS Poisoning and SMB Relay" | ||
| reference = "https://attack.mitre.org/techniques/T1557/001/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0006" | ||
| name = "Credential Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0006/" | ||
|
|