[New Rule] Potential Forced Authentication - SMB Named Pipes #3916
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| [metadata] | ||
| creation_date = "2024/07/23" | ||
| integration = ["system", "windows"] | ||
| maturity = "production" | ||
| updated_date = "2024/07/23" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to | ||
| authenticate to a host controlled by them to capture hashes or enable relay attacks. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-system.security-*", "logs-windows.forwarded-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Potential Forced Authentication - SMB Named Pipes" | ||
| references = [ | ||
| "https://github.com/p0dalirius/windows-coerced-authentication-methods", | ||
| "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", | ||
| "https://attack.mitre.org/techniques/T1187/", | ||
| ] | ||
| risk_score = 21 | ||
| rule_id = "73d05fd0-d73b-4625-aa2e-3221965aa2e3" | ||
| setup = """## Setup | ||
|
|
||
| The 'Audit Detailed File Share' audit policy must be configured (Success Failure). | ||
| Steps to implement the logging policy with Advanced Audit Configuration: | ||
|
|
||
| ``` | ||
| Computer Configuration > | ||
| Policies > | ||
| Windows Settings > | ||
| Security Settings > | ||
| Advanced Audit Policies Configuration > | ||
| Audit Policies > | ||
| Object Access > | ||
| Audit Detailed File Share (Success,Failure) | ||
| ``` | ||
| """ | ||
| severity = "low" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Windows", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Credential Access", | ||
| "Data Source: Elastic Defend", | ||
| "Data Source: Active Directory", | ||
| "Use Case: Active Directory Monitoring", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| sequence by host.id, source.ip, user.name with maxspan=1s | ||
| [authentication where host.os.type == "windows" and event.action == "logged-in" and | ||
| winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] | ||
| [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] | ||
|
There was a problem hiding this comment. Had some unrelated hits in the There was a problem hiding this comment. lsarpc, lsass, spoolss, netlogon and samr are all very frequent and risk to be very noisy, I would suggest to use a new term rule type and limit to the 5145 event (no need for a sequence with logon event) and use 3 terms There was a problem hiding this comment. Thanks! I'll work on that |
||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1187" | ||
| name = "Forced Authentication" | ||
| reference = "https://attack.mitre.org/techniques/T1187/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0006" | ||
| name = "Credential Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0006/" | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need MITRE URL as ref if mapped already?