Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Active Directory Forced Authentication from Linux Host #3912

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[New Rule] Active Directory Forced Authentication from Linux Host #3912

wants to merge 4 commits into from

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 22, 2024

Issues

Part of #3544

Summary

Uses both Linux and windows logs to identify a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine controlled by them to capture hashes or to enable relay attacks.

Data

Events/Sample Data 
{
  "_index": ".ds-logs-endpoint.events.network-default-2024.07.12-000025",
  "_id": "1RN_2pABiLqpmBCYKakF",
  "_score": 1,
  "_source": {
    "agent": {
      "id": "ea387e70-7cb8-4978-8df2-e9f44e3ef15d",
      "type": "endpoint",
      "version": "8.12.2"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDYtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDUtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDQtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4OTQtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4NDEtMTcyMTY0ODQ4NQ==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4MzQtMTcyMTY0ODQ4NA==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTgzNi0xNzIxNjQ4MTc1",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEtMTcyMTY0ODE2NQ=="
        ]
      },
      "parent": {
        "entity_id": "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng=="
      },
      "name": "python3",
      "pid": 10001,
      "thread": {
        "capabilities": {
          "effective": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_RAW",
            "CAP_SYS_CHROOT",
            "CAP_MKNOD",
            "CAP_AUDIT_WRITE",
            "CAP_SETFCAP"
          ],
          "permitted": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_RAW",
            "CAP_SYS_CHROOT",
            "CAP_MKNOD",
            "CAP_AUDIT_WRITE",
            "CAP_SETFCAP"
          ]
        }
      },
      "entity_id": "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEwMDAxLTE3MjE2NTI2NzY=",
      "executable": "/opt/tools/PetitPotam/venv/bin/python3"
    },
    "destination": {
      "address": "192.168.56.10",
      "port": 445,
      "ip": "192.168.56.10"
    },
    "source": {
      "address": "192.168.56.200",
      "port": 48740,
      "ip": "192.168.56.200"
    },
    "message": "Endpoint network event",
    "network": {
      "transport": "tcp",
      "type": "ipv4"
    },
    "@timestamp": "2024-07-22T12:51:16.2496092Z",
    "ecs": {
      "version": "8.10.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.events.network"
    },
    "elastic": {
      "agent": {
        "id": "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
      }
    },
    "host": {
      "hostname": "jonh-virtual-machine",
      "os": {
        "Ext": {
          "variant": "Ubuntu"
        },
        "kernel": "6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2",
        "name": "Linux",
        "family": "ubuntu",
        "type": "linux",
        "version": "22.04.4",
        "platform": "ubuntu",
        "full": "Ubuntu 22.04.4"
      },
      "ip": [
        "192.168.56.200",
        "172.17.0.1",
        "127.0.0.1",
        "::1",
        "192.168.133.129",
        "fe80::b09f:b79d:7caa:1b51"
      ],
      "name": "jonh-virtual-machine",
      "id": "e73a5ff9b30a40969fb5dedc8f1bdd18",
      "mac": [
        "00-0c-29-a5-56-92",
        "02-42-27-54-10-0f",
        "00-0c-29-a5-56-88"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "sequence": 35088,
      "ingested": "2024-07-22T12:51:25Z",
      "created": "2024-07-22T12:51:16.2496092Z",
      "kind": "event",
      "module": "endpoint",
      "action": "connection_attempted",
      "id": "Ndt2EO2UzsLLPkAZ+++++Gor",
      "category": [
        "network"
      ],
      "type": [
        "start"
      ],
      "dataset": "endpoint.events.network",
      "outcome": "unknown"
    },
    "user": {
      "Ext": {
        "real": {
          "name": "root",
          "id": 0
        }
      },
      "name": "root",
      "id": 0
    },
    "group": {
      "Ext": {
        "real": {
          "name": "root",
          "id": 0
        }
      },
      "name": "root",
      "id": 0
    }
  },
  "fields": {
    "host.os.full.text": [
      "Ubuntu 22.04.4"
    ],
    "event.category": [
      "network"
    ],
    "process.name.text": [
      "python3"
    ],
    "host.os.name.text": [
      "Linux"
    ],
    "host.os.full": [
      "Ubuntu 22.04.4"
    ],
    "host.hostname": [
      "jonh-virtual-machine"
    ],
    "process.pid": [
      10001
    ],
    "host.mac": [
      "00-0c-29-a5-56-92",
      "02-42-27-54-10-0f",
      "00-0c-29-a5-56-88"
    ],
    "elastic.agent.id": [
      "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
    ],
    "host.os.version": [
      "22.04.4"
    ],
    "process.parent.entity_id": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng=="
    ],
    "host.os.name": [
      "Linux"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "destination.address": [
      "192.168.56.10"
    ],
    "host.name": [
      "jonh-virtual-machine"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "unknown"
    ],
    "group.name": [
      "root"
    ],
    "process.thread.capabilities.permitted": [
      "CAP_CHOWN",
      "CAP_DAC_OVERRIDE",
      "CAP_FOWNER",
      "CAP_FSETID",
      "CAP_KILL",
      "CAP_SETGID",
      "CAP_SETUID",
      "CAP_SETPCAP",
      "CAP_NET_BIND_SERVICE",
      "CAP_NET_RAW",
      "CAP_SYS_CHROOT",
      "CAP_MKNOD",
      "CAP_AUDIT_WRITE",
      "CAP_SETFCAP"
    ],
    "host.os.type": [
      "linux"
    ],
    "user.id": [
      "0"
    ],
    "process.Ext.ancestry": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDYtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDUtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDQtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4OTQtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4NDEtMTcyMTY0ODQ4NQ==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4MzQtMTcyMTY0ODQ4NA==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTgzNi0xNzIxNjQ4MTc1",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEtMTcyMTY0ODE2NQ=="
    ],
    "user.Ext.real.id": [
      "0"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "python3"
    ],
    "agent.id": [
      "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
    ],
    "source.port": [
      48740
    ],
    "ecs.version": [
      "8.10.0"
    ],
    "event.created": [
      "2024-07-22T12:51:16.249Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "ubuntu"
    ],
    "process.thread.capabilities.effective": [
      "CAP_CHOWN",
      "CAP_DAC_OVERRIDE",
      "CAP_FOWNER",
      "CAP_FSETID",
      "CAP_KILL",
      "CAP_SETGID",
      "CAP_SETUID",
      "CAP_SETPCAP",
      "CAP_NET_BIND_SERVICE",
      "CAP_NET_RAW",
      "CAP_SYS_CHROOT",
      "CAP_MKNOD",
      "CAP_AUDIT_WRITE",
      "CAP_SETFCAP"
    ],
    "destination.port": [
      445
    ],
    "group.id": [
      "0"
    ],
    "user.name": [
      "root"
    ],
    "source.address": [
      "192.168.56.200"
    ],
    "process.entity_id": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEwMDAxLTE3MjE2NTI2NzY="
    ],
    "event.sequence": [
      35088
    ],
    "host.ip": [
      "192.168.56.200",
      "172.17.0.1",
      "127.0.0.1",
      "::1",
      "192.168.133.129",
      "fe80::b09f:b79d:7caa:1b51"
    ],
    "process.executable.caseless": [
      "/opt/tools/petitpotam/venv/bin/python3"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "/opt/tools/PetitPotam/venv/bin/python3"
    ],
    "event.module": [
      "endpoint"
    ],
    "group.Ext.real.name": [
      "root"
    ],
    "host.os.kernel": [
      "6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2"
    ],
    "host.os.full.caseless": [
      "ubuntu 22.04.4"
    ],
    "host.id": [
      "e73a5ff9b30a40969fb5dedc8f1bdd18"
    ],
    "process.name.caseless": [
      "python3"
    ],
    "network.type": [
      "ipv4"
    ],
    "process.executable": [
      "/opt/tools/PetitPotam/venv/bin/python3"
    ],
    "user.Ext.real.name": [
      "root"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "message": [
      "Endpoint network event"
    ],
    "destination.ip": [
      "192.168.56.10"
    ],
    "network.transport": [
      "tcp"
    ],
    "group.Ext.real.id": [
      "0"
    ],
    "host.os.Ext.variant": [
      "Ubuntu"
    ],
    "event.action": [
      "connection_attempted"
    ],
    "event.ingested": [
      "2024-07-22T12:51:25Z"
    ],
    "@timestamp": [
      "2024-07-22T12:51:16.249Z"
    ],
    "host.os.platform": [
      "ubuntu"
    ],
    "data_stream.dataset": [
      "endpoint.events.network"
    ],
    "event.type": [
      "start"
    ],
    "event.id": [
      "Ndt2EO2UzsLLPkAZ+++++Gor"
    ],
    "event.dataset": [
      "endpoint.events.network"
    ],
    "host.os.name.caseless": [
      "linux"
    ],
    "user.name.text": [
      "root"
    ]
  }
}

{
  "_index": ".ds-logs-system.security-default-2024.07.02-000028",
  "_id": "wRN-2pABiLqpmBCY-5sj",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "ephemeral_id": "82ef15ac-4d92-4f60-b6cd-11fad4777d83",
      "type": "filebeat",
      "version": "8.14.2"
    },
    "process": {
      "name": "-",
      "pid": 0,
      "executable": "-"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 744,
        "thread": {
          "id": 9164
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x0",
        "type": "Network"
      },
      "channel": "Security",
      "event_data": {
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "TargetOutboundDomainName": "-",
        "VirtualAccount": "%%1843",
        "TransmittedServices": "-",
        "LmPackageName": "NTLM V2",
        "RestrictedAdminMode": "-",
        "ElevatedToken": "%%1842",
        "SubjectDomainName": "-",
        "TargetDomainName": "SEVENKINGDOMS",
        "LogonProcessName": "NtLmSsp ",
        "LogonType": "3",
        "SubjectLogonId": "0x0",
        "KeyLength": "128",
        "TargetOutboundUserName": "-",
        "TargetLogonId": "0x9e0fb4",
        "TargetLinkedLogonId": "0x0",
        "SubjectUserName": "-",
        "ImpersonationLevel": "%%1833",
        "TargetUserName": "cersei.lannister",
        "SubjectUserSid": "S-1-0-0",
        "TargetUserSid": "S-1-5-21-3715621034-4113696668-281506975-1115",
        "AuthenticationPackageName": "NTLM"
      },
      "opcode": "Info",
      "version": 2,
      "record_id": "5409605",
      "task": "Logon",
      "event_id": "4624",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "version": "8.14.2",
      "snapshot": false
    },
    "source": {
      "port": 48740,
      "ip": "192.168.56.200",
      "domain": "-"
    },
    "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x9E0FB4\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t48740\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-07-22T12:51:16.693Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "192.168.56.200"
      ],
      "user": [
        "cersei.lannister"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.6054",
        "kernel": "10.0.17763.6054 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.56.10",
        "192.168.133.195"
      ],
      "name": "kingslanding",
      "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9",
      "mac": [
        "00-0C-29-F8-CF-09",
        "00-0C-29-F8-CF-FF"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-07-22T12:51:13Z",
      "code": "4624",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-07-22T12:51:17.823Z",
      "kind": "event",
      "action": "logged-in",
      "category": [
        "authentication"
      ],
      "type": [
        "start"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "cersei.lannister",
      "id": "S-1-5-21-3715621034-4113696668-281506975-1115"
    }
  },
  "fields": {
    "winlog.event_data.AuthenticationPackageName": [
      "NTLM"
    ],
    "elastic_agent.version": [
      "8.14.2"
    ],
    "event.category": [
      "authentication"
    ],
    "process.name.text": [
      "-"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      0
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-F8-CF-09",
      "00-0C-29-F8-CF-FF"
    ],
    "winlog.process.pid": [
      744
    ],
    "winlog.event_data.KeyLength": [
      "128"
    ],
    "agent.name.text": [
      "kingslanding"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "5409605"
    ],
    "winlog.event_data.VirtualAccount": [
      "%%1843"
    ],
    "winlog.logon.id": [
      "0x0"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "winlog.version": [
      2
    ],
    "winlog.event_data.TargetUserName": [
      "cersei.lannister"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "winlog.event_data.RestrictedAdminMode": [
      "-"
    ],
    "winlog.event_data.TargetUserSid": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "cersei.lannister"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "-"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4624"
    ],
    "agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "source.port": [
      48740
    ],
    "winlog.event_data.TransmittedServices": [
      "-"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "winlog.event_data.LmPackageName": [
      "NTLM V2"
    ],
    "event.created": [
      "2024-07-22T12:51:17.823Z"
    ],
    "winlog.event_data.LogonGuid": [
      "{00000000-0000-0000-0000-000000000000}"
    ],
    "agent.version": [
      "8.14.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-0-0"
    ],
    "winlog.process.thread.id": [
      9164
    ],
    "winlog.event_data.TargetLinkedLogonId": [
      "0x0"
    ],
    "user.name": [
      "cersei.lannister"
    ],
    "winlog.event_data.ElevatedToken": [
      "%%1842"
    ],
    "winlog.event_data.TargetOutboundUserName": [
      "-"
    ],
    "source.domain": [
      "-"
    ],
    "host.os.build": [
      "17763.6054"
    ],
    "host.ip": [
      "192.168.56.10",
      "192.168.133.195"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "-"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x0"
    ],
    "related.ip": [
      "192.168.56.200"
    ],
    "winlog.event_data.TargetLogonId": [
      "0x9e0fb4"
    ],
    "host.os.kernel": [
      "10.0.17763.6054 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9"
    ],
    "process.executable": [
      "-"
    ],
    "winlog.event_data.ImpersonationLevel": [
      "%%1833"
    ],
    "winlog.task": [
      "Logon"
    ],
    "elastic_agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "-"
    ],
    "winlog.logon.type": [
      "Network"
    ],
    "message": [
      "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x9E0FB4\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t48740\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
    ],
    "winlog.event_data.LogonProcessName": [
      "NtLmSsp "
    ],
    "winlog.event_data.TargetOutboundDomainName": [
      "-"
    ],
    "winlog.event_id": [
      "4624"
    ],
    "event.action": [
      "logged-in"
    ],
    "event.ingested": [
      "2024-07-22T12:51:13Z"
    ],
    "@timestamp": [
      "2024-07-22T12:51:16.693Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "winlog.event_data.LogonType": [
      "3"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "start"
    ],
    "winlog.event_data.TargetDomainName": [
      "SEVENKINGDOMS"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "82ef15ac-4d92-4f60-b6cd-11fad4777d83"
    ],
    "winlog.event_data.SubjectDomainName": [
      "-"
    ],
    "event.dataset": [
      "system.security"
    ],
    "user.name.text": [
      "cersei.lannister"
    ]
  }
}

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jul 22, 2024
@w0rk3r w0rk3r self-assigned this Jul 22, 2024
@protectionsmachine
Copy link
Collaborator

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

w0rk3r
w0rk3r commented Jul 22, 2024
View reviewed changes
rules/cross-platform/credential_access_forced_authentication.toml
Comment on lines +19 to +21
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-dfsnm",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with:

petitpotam -> MS-EFSR
printerbug -> MS-RPRN
DFSCoerce -> MS-DFSNM

rules/cross-platform/credential_access_forced_authentication.toml
type = "eql"

query = '''
sequence with maxspan=15s
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works with maxspan=1s in my env, but I'm giving it a bit more here as larger envs may have delays

@w0rk3r w0rk3r changed the title [New Rule] Potential Forced Authentication [New Rule] Active Directory Forced Authentication from Linux Host Jul 24, 2024
Samirbous
Samirbous approved these changes Jul 24, 2024
View reviewed changes
rules/cross-platform/credential_access_forced_authentication.toml
index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Active Directory Forced Authentication from Linux Host"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name = "Active Directory Forced Authentication from Linux Host"
name = "SMB Authentication from a Linux Host"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this explains better what it tries to detect

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

forced auth means we have evidence that the DC is connecting back to the linux box, so maybe inverting the sequence (auth from window followed by incoming netcon to linux) ?

rules/cross-platform/credential_access_forced_authentication.toml
Comment on lines +48 to +49
[authentication where host.os.type == "windows" and event.action == "logged-in" and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe you want to limit to host.name containing *DC* to be sure its a domain controller or by host.os.full : "windows server*" to limit to servers.

@w0rk3r w0rk3r mentioned this pull request Jul 25, 2024
Closed
Aegrah
Aegrah reviewed Jul 29, 2024
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may also want to consider mitm6 relay attacks (just another detection idea)
https://github.com/dirkjanm/mitm6?tab=readme-ov-file
with ntlmrelayx from impacket (https://github.com/fortra/impacket)

rules/cross-platform/credential_access_forced_authentication.toml
Comment on lines +47 to +49
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
[authentication where host.os.type == "windows" and event.action == "logged-in" and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
[authentication where host.os.type == "windows" and event.action == "logged-in" and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445
and (destination.ip != null or destination.ip != "0.0.0.0" or cidrmatch (
destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
"192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
"192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
"FF00::/8", "172.31.0.0/16"
)
)] by host.ip
[authentication where host.os.type == "windows" and event.action == "logged-in" and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may want to limit to private IPs and exclude loopback.

rules/cross-platform/credential_access_forced_authentication.toml
Comment on lines +53 to +55
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May want to add https://attack.mitre.org/techniques/T1557/

@botelastic
Copy link

botelastic bot commented Sep 27, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Sep 27, 2024
@w0rk3r w0rk3r marked this pull request as draft September 27, 2024 15:13
@botelastic botelastic bot removed the stale 60 days of inactivity label Sep 27, 2024
@botelastic
Copy link

botelastic bot commented Nov 26, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Nov 26, 2024
@botelastic
Copy link

botelastic bot commented Dec 3, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this Dec 3, 2024
@w0rk3r w0rk3r reopened this Dec 3, 2024
@botelastic botelastic bot removed the stale 60 days of inactivity label Dec 3, 2024
@w0rk3r w0rk3r added the backlog label Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aegrah Aegrah Aegrah left review comments

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

Assignees

@w0rk3r w0rk3r

Labels
backlog backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@w0rk3r @protectionsmachine @Samirbous @Aegrah @terrancedejesus