Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Potential Forced Authentication - SMB Named Pipes #3916

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

[New Rule] Potential Forced Authentication - SMB Named Pipes #3916

wants to merge 5 commits into from
+74 −0

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 24, 2024

Issue

Part of #3544

Summary

Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.

Data

Events/Sample Data 
{
  "_index": ".ds-logs-system.security-default-2024.07.02-000028",
  "_id": "mEJY25ABiLqpmBCYMmMt",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "type": "filebeat",
      "ephemeral_id": "82ef15ac-4d92-4f60-b6cd-11fad4777d83",
      "version": "8.14.2"
    },
    "process": {
      "name": "-",
      "pid": 0,
      "executable": "-"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 744,
        "thread": {
          "id": 7108
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x0",
        "type": "Network"
      },
      "channel": "Security",
      "event_data": {
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "TargetOutboundDomainName": "-",
        "VirtualAccount": "%%1843",
        "TransmittedServices": "-",
        "LmPackageName": "NTLM V2",
        "RestrictedAdminMode": "-",
        "ElevatedToken": "%%1842",
        "SubjectDomainName": "-",
        "LogonProcessName": "NtLmSsp ",
        "TargetDomainName": "SEVENKINGDOMS",
        "LogonType": "3",
        "SubjectLogonId": "0x0",
        "KeyLength": "128",
        "TargetOutboundUserName": "-",
        "TargetLogonId": "0x19874f3",
        "TargetLinkedLogonId": "0x0",
        "SubjectUserName": "-",
        "ImpersonationLevel": "%%1833",
        "TargetUserName": "cersei.lannister",
        "SubjectUserSid": "S-1-0-0",
        "AuthenticationPackageName": "NTLM",
        "TargetUserSid": "S-1-5-21-3715621034-4113696668-281506975-1115"
      },
      "opcode": "Info",
      "version": 2,
      "record_id": "5477445",
      "task": "Logon",
      "event_id": "4624",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "version": "8.14.2",
      "snapshot": false
    },
    "source": {
      "port": 34644,
      "ip": "192.168.56.200",
      "domain": "-"
    },
    "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x19874F3\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t34644\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-07-22T16:48:31.310Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "192.168.56.200"
      ],
      "user": [
        "cersei.lannister"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.6054",
        "kernel": "10.0.17763.6054 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.56.10",
        "192.168.133.195"
      ],
      "name": "kingslanding",
      "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9",
      "mac": [
        "00-0C-29-F8-CF-09",
        "00-0C-29-F8-CF-FF"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-07-22T16:48:28Z",
      "code": "4624",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-07-22T16:48:32.548Z",
      "kind": "event",
      "action": "logged-in",
      "category": [
        "authentication"
      ],
      "type": [
        "start"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "cersei.lannister",
      "id": "S-1-5-21-3715621034-4113696668-281506975-1115"
    }
  },
  "fields": {
    "winlog.event_data.AuthenticationPackageName": [
      "NTLM"
    ],
    "elastic_agent.version": [
      "8.14.2"
    ],
    "event.category": [
      "authentication"
    ],
    "process.name.text": [
      "-"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      0
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-F8-CF-09",
      "00-0C-29-F8-CF-FF"
    ],
    "winlog.process.pid": [
      744
    ],
    "winlog.event_data.KeyLength": [
      "128"
    ],
    "agent.name.text": [
      "kingslanding"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "5477445"
    ],
    "winlog.event_data.VirtualAccount": [
      "%%1843"
    ],
    "winlog.logon.id": [
      "0x0"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "winlog.version": [
      2
    ],
    "winlog.event_data.TargetUserName": [
      "cersei.lannister"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "winlog.event_data.RestrictedAdminMode": [
      "-"
    ],
    "winlog.event_data.TargetUserSid": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "cersei.lannister"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "-"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4624"
    ],
    "agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "source.port": [
      34644
    ],
    "winlog.event_data.TransmittedServices": [
      "-"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "winlog.event_data.LmPackageName": [
      "NTLM V2"
    ],
    "event.created": [
      "2024-07-22T16:48:32.548Z"
    ],
    "winlog.event_data.LogonGuid": [
      "{00000000-0000-0000-0000-000000000000}"
    ],
    "agent.version": [
      "8.14.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-0-0"
    ],
    "winlog.process.thread.id": [
      7108
    ],
    "winlog.event_data.TargetLinkedLogonId": [
      "0x0"
    ],
    "user.name": [
      "cersei.lannister"
    ],
    "winlog.event_data.ElevatedToken": [
      "%%1842"
    ],
    "winlog.event_data.TargetOutboundUserName": [
      "-"
    ],
    "source.domain": [
      "-"
    ],
    "host.os.build": [
      "17763.6054"
    ],
    "host.ip": [
      "192.168.56.10",
      "192.168.133.195"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "-"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x0"
    ],
    "related.ip": [
      "192.168.56.200"
    ],
    "winlog.event_data.TargetLogonId": [
      "0x19874f3"
    ],
    "host.os.kernel": [
      "10.0.17763.6054 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9"
    ],
    "process.executable": [
      "-"
    ],
    "winlog.event_data.ImpersonationLevel": [
      "%%1833"
    ],
    "winlog.task": [
      "Logon"
    ],
    "elastic_agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "-"
    ],
    "winlog.logon.type": [
      "Network"
    ],
    "message": [
      "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tYes\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x19874F3\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t-\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t34644\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
    ],
    "winlog.event_data.LogonProcessName": [
      "NtLmSsp "
    ],
    "winlog.event_data.TargetOutboundDomainName": [
      "-"
    ],
    "winlog.event_id": [
      "4624"
    ],
    "event.action": [
      "logged-in"
    ],
    "event.ingested": [
      "2024-07-22T16:48:28Z"
    ],
    "@timestamp": [
      "2024-07-22T16:48:31.310Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "winlog.event_data.LogonType": [
      "3"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "start"
    ],
    "winlog.event_data.TargetDomainName": [
      "SEVENKINGDOMS"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "82ef15ac-4d92-4f60-b6cd-11fad4777d83"
    ],
    "winlog.event_data.SubjectDomainName": [
      "-"
    ],
    "event.dataset": [
      "system.security"
    ],
    "user.name.text": [
      "cersei.lannister"
    ]
  }
}

{
  "_index": ".ds-logs-system.security-default-2024.07.02-000028",
  "_id": "m0JY25ABiLqpmBCYMmMt",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "type": "filebeat",
      "ephemeral_id": "82ef15ac-4d92-4f60-b6cd-11fad4777d83",
      "version": "8.14.2"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 4,
        "thread": {
          "id": 2956
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x19874f3"
      },
      "channel": "Security",
      "event_data": {
        "ShareName": "\\\\*\\IPC$",
        "SubjectLogonId": "0x19874f3",
        "AccessMask": "0x3",
        "ObjectType": "File",
        "SubjectUserName": "cersei.lannister",
        "AccessReason": "-",
        "SubjectDomainName": "SEVENKINGDOMS",
        "AccessMaskDescription": [
          "Create Child",
          "Delete Child"
        ],
        "RelativeTargetName": "spoolss",
        "SubjectUserSid": "S-1-5-21-3715621034-4113696668-281506975-1115",
        "AccessList": "%%4416\n\t\t\t\t%%4417\n\t\t\t\t"
      },
      "opcode": "Info",
      "record_id": "5477448",
      "task": "Detailed File Share",
      "event_id": "5145",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "version": "8.14.2",
      "snapshot": false
    },
    "source": {
      "port": 34644,
      "ip": "192.168.56.200"
    },
    "message": "A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x19874F3\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\t192.168.56.200\n\tSource Port:\t\t34644\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\IPC$\n\tShare Path:\t\t\n\tRelative Target Name:\tspoolss\n\nAccess Request Information:\n\tAccess Mask:\t\t0x3\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\tWriteData (or AddFile)\n\t\t\t\t\nAccess Check Results:\n\t-",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-07-22T16:48:31.316Z",
    "file": {
      "name": "spoolss",
      "target_path": "\\\\\\\\*\\\\IPC$\\spoolss"
    },
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "192.168.56.200"
      ],
      "user": [
        "cersei.lannister"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.6054",
        "kernel": "10.0.17763.6054 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.56.10",
        "192.168.133.195"
      ],
      "name": "kingslanding",
      "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9",
      "mac": [
        "00-0C-29-F8-CF-09",
        "00-0C-29-F8-CF-FF"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-07-22T16:48:28Z",
      "code": "5145",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-07-22T16:48:32.548Z",
      "kind": "event",
      "action": "network-share-object-access-checked",
      "category": [
        "network",
        "file"
      ],
      "type": [
        "info",
        "access"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "cersei.lannister",
      "id": "S-1-5-21-3715621034-4113696668-281506975-1115"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.14.2"
    ],
    "event.category": [
      "network",
      "file"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-F8-CF-09",
      "00-0C-29-F8-CF-FF"
    ],
    "winlog.process.pid": [
      4
    ],
    "winlog.event_data.ShareName": [
      "\\\\*\\IPC$"
    ],
    "agent.name.text": [
      "kingslanding"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "5477448"
    ],
    "winlog.logon.id": [
      "0x19874f3"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "file.target_path.text": [
      "\\\\\\\\*\\\\IPC$\\spoolss"
    ],
    "log.level": [
      "information"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "winlog.event_data.AccessMask": [
      "0x3"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "file.target_path": [
      "\\\\\\\\*\\\\IPC$\\spoolss"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "cersei.lannister"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "5145"
    ],
    "agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "source.port": [
      34644
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-07-22T16:48:32.548Z"
    ],
    "agent.version": [
      "8.14.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.RelativeTargetName": [
      "spoolss"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "winlog.process.thread.id": [
      2956
    ],
    "user.name": [
      "cersei.lannister"
    ],
    "host.os.build": [
      "17763.6054"
    ],
    "host.ip": [
      "192.168.56.10",
      "192.168.133.195"
    ],
    "winlog.event_data.AccessList": [
      "%%4416\n\t\t\t\t%%4417\n\t\t\t\t"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x19874f3"
    ],
    "related.ip": [
      "192.168.56.200"
    ],
    "host.os.kernel": [
      "10.0.17763.6054 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9"
    ],
    "winlog.task": [
      "Detailed File Share"
    ],
    "elastic_agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "winlog.event_data.ObjectType": [
      "File"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "cersei.lannister"
    ],
    "file.name": [
      "spoolss"
    ],
    "message": [
      "A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x19874F3\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\t192.168.56.200\n\tSource Port:\t\t34644\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\IPC$\n\tShare Path:\t\t\n\tRelative Target Name:\tspoolss\n\nAccess Request Information:\n\tAccess Mask:\t\t0x3\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\tWriteData (or AddFile)\n\t\t\t\t\nAccess Check Results:\n\t-"
    ],
    "winlog.event_id": [
      "5145"
    ],
    "event.action": [
      "network-share-object-access-checked"
    ],
    "event.ingested": [
      "2024-07-22T16:48:28Z"
    ],
    "@timestamp": [
      "2024-07-22T16:48:31.316Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "info",
      "access"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "82ef15ac-4d92-4f60-b6cd-11fad4777d83"
    ],
    "winlog.event_data.AccessMaskDescription": [
      "Create Child",
      "Delete Child"
    ],
    "winlog.event_data.SubjectDomainName": [
      "SEVENKINGDOMS"
    ],
    "event.dataset": [
      "system.security"
    ],
    "winlog.event_data.AccessReason": [
      "-"
    ],
    "user.name.text": [
      "cersei.lannister"
    ]
  }
}

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jul 24, 2024
@w0rk3r w0rk3r self-assigned this Jul 24, 2024
@protectionsmachine
Copy link
Collaborator

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

w0rk3r
w0rk3r commented Jul 24, 2024
View reviewed changes
rules/windows/credential_access_forced_authentication_pipes.toml
sequence by source.ip, user.name with maxspan=1s
[authentication where host.os.type == "windows" and event.action == "logged-in" and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had some unrelated hits in the lsarpc pipe, will measure the noise as this one is used in EFSRPC related forced auth, and will remove it and create a BBR if the volume is too high

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lsarpc, lsass, spoolss, netlogon and samr are all very frequent and risk to be very noisy, I would suggest to use a new term rule type and limit to the 5145 event (no need for a sequence with logon event) and use 3 terms user.name, source.ip, host.id and file.name limited to spoolss, "efsrpc", "FssagentRpc" and "netdfs".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I'll work on that

@w0rk3r w0rk3r requested a review from brokensound77 July 24, 2024 00:27
@w0rk3r w0rk3r mentioned this pull request Jul 25, 2024
Closed
terrancedejesus
terrancedejesus reviewed Aug 9, 2024
View reviewed changes
rules/windows/credential_access_forced_authentication_pipes.toml
references = [
"https://github.com/p0dalirius/windows-coerced-authentication-methods",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
"https://attack.mitre.org/techniques/T1187/",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need MITRE URL as ref if mapped already?

terrancedejesus
terrancedejesus approved these changes Aug 9, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@w0rk3r w0rk3r marked this pull request as draft September 6, 2024 13:45
@botelastic
Copy link

botelastic bot commented Nov 5, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Nov 5, 2024
@botelastic botelastic bot removed the stale 60 days of inactivity label Nov 5, 2024
@botelastic
Copy link

botelastic bot commented Jan 4, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Jan 4, 2025
@w0rk3r w0rk3r added the backlog label Jan 6, 2025
@botelastic botelastic bot removed the stale 60 days of inactivity label Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Samirbous Samirbous Awaiting requested review from Samirbous

@Aegrah Aegrah Awaiting requested review from Aegrah

@brokensound77 brokensound77 Awaiting requested review from brokensound77

At least 2 approving reviews are required to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels
backlog backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@w0rk3r @protectionsmachine @brokensound77 @Samirbous @terrancedejesus