From 8d1dbefa2ca42aa77095288cacb8980a12e7b877 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 2 Aug 2024 13:03:20 -0300 Subject: [PATCH] [New Rule] Potential Relay Attack against a Domain Controller (#3928) * [New Rule] Potential Relay Attack against a Domain Controller * Update credential_access_dollar_account_relay.toml * Move to the correct folder (cherry picked from commit dfdc214be8413e331749c26211eec20c549d3b2a) --- ...redential_access_dollar_account_relay.toml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 rules/windows/credential_access_dollar_account_relay.toml diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml new file mode 100644 index 00000000000..d4876f833fa --- /dev/null +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -0,0 +1,73 @@ +[metadata] +creation_date = "2024/07/24" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/07/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the +domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC +hash after capturing it using forced authentication. +""" +from = "now-9m" +index = ["logs-system.security-*", "logs-windows.forwarded*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Relay Attack against a Domain Controller" +references = [ + "https://github.com/p0dalirius/windows-coerced-authentication-methods", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", + "https://attack.mitre.org/techniques/T1187/", +] +risk_score = 21 +rule_id = "263481c8-1e9b-492e-912d-d1760707f810" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and + winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and + + /* Filter for a machine account that matches the hostname */ + startswith~(host.name, substring(user.name, 0, -1)) and + + /* Verify if the Source IP belongs to the host */ + not endswith(string(source.ip), string(host.ip)) and + source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" +[[rule.threat.technique.subtechnique]] +id = "T1557.001" +name = "LLMNR/NBT-NS Poisoning and SMB Relay" +reference = "https://attack.mitre.org/techniques/T1557/001/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +