From bc2217d619cd24d8318448972eec5b267568b0aa Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:12:37 -0300
Subject: [PATCH 1/4] [New Rule] Potential Forced Authentication - SMB Named
 Pipes

---
 ...al_access_forced_authentication_pipes.toml | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 rules/windows/credential_access_forced_authentication_pipes.toml

diff --git a/rules/windows/credential_access_forced_authentication_pipes.toml b/rules/windows/credential_access_forced_authentication_pipes.toml
new file mode 100644
index 00000000000..5b2661cbb51
--- /dev/null
+++ b/rules/windows/credential_access_forced_authentication_pipes.toml
@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2024/07/23"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2024/07/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
+authenticate to a host controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-system.security-*", "logs-windows.forwarded-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Forced Authentication - SMB Named Pipes"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 21
+rule_id = "73d05fd0-d73b-4625-aa2e-3221965aa2e3"
+setup = """## Setup
+
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success,Failure)
+```
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by source.ip, user.name with maxspan=1s
+[authentication where host.os.type == "windows" and winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
+[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

From 8c1d45c67f219547f369e8826cecc1604bfcf11d Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:14:35 -0300
Subject: [PATCH 2/4] Update credential_access_forced_authentication_pipes.toml

---
 .../windows/credential_access_forced_authentication_pipes.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/credential_access_forced_authentication_pipes.toml b/rules/windows/credential_access_forced_authentication_pipes.toml
index 5b2661cbb51..8b5b7646a57 100644
--- a/rules/windows/credential_access_forced_authentication_pipes.toml
+++ b/rules/windows/credential_access_forced_authentication_pipes.toml
@@ -53,7 +53,8 @@ type = "eql"
 
 query = '''
 sequence by source.ip, user.name with maxspan=1s
-[authentication where host.os.type == "windows" and winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
+[authentication where host.os.type == "windows" and event.action == "logged-in" and
+ winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
 [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")]
 '''
 

From c2e88613f4cc47eb2e1115c3bdc933fe2ff60b49 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:23:43 -0300
Subject: [PATCH 3/4] Update credential_access_forced_authentication_pipes.toml

---
 .../windows/credential_access_forced_authentication_pipes.toml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/credential_access_forced_authentication_pipes.toml b/rules/windows/credential_access_forced_authentication_pipes.toml
index 8b5b7646a57..10e14739549 100644
--- a/rules/windows/credential_access_forced_authentication_pipes.toml
+++ b/rules/windows/credential_access_forced_authentication_pipes.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2024/07/23"
-integration = ["endpoint", "system"]
+integration = ["system", "windows"]
 maturity = "production"
 updated_date = "2024/07/23"
 

From 634770973812305be81c484b58746f489e8e69d0 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:27:21 -0300
Subject: [PATCH 4/4] Update credential_access_forced_authentication_pipes.toml

---
 .../windows/credential_access_forced_authentication_pipes.toml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/credential_access_forced_authentication_pipes.toml b/rules/windows/credential_access_forced_authentication_pipes.toml
index 10e14739549..68e42be60b8 100644
--- a/rules/windows/credential_access_forced_authentication_pipes.toml
+++ b/rules/windows/credential_access_forced_authentication_pipes.toml
@@ -52,7 +52,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-sequence by source.ip, user.name with maxspan=1s
+sequence by host.id, source.ip, user.name with maxspan=1s
 [authentication where host.os.type == "windows" and event.action == "logged-in" and
  winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"]
 [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")]