Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes #3917

Merged
merged 3 commits into from
Jul 24, 2024
Merged

[New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes #3917

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ef8598e
[New Rule] Active Directory Forced Authentication from Linux Host via…
w0rk3r Jul 24, 2024
b7d97c6
Update credential_access_forced_authentication_pipes.toml
w0rk3r Jul 24, 2024
8b49eee
Update rules/cross-platform/credential_access_forced_authentication_p…
w0rk3r Jul 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions rules/cross-platform/credential_access_forced_authentication_pipes.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
[metadata]
creation_date = "2024/07/23"
integration = ["endpoint", "system"]
maturity = "production"
updated_date = "2024/07/23"

[rule]
author = ["Elastic"]
description = """
Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
authenticate to a host controlled by them to capture hashes or enable relay attacks.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes"
references = [
"https://github.com/p0dalirius/windows-coerced-authentication-methods",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
"https://attack.mitre.org/techniques/T1187/",
]
risk_score = 47
rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
setup = """## Setup
This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
for correlation. Both data sources should be collected from the hosts for this detection to work.
The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)
```
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
sequence with maxspan=15s
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1187"
name = "Forced Authentication"
reference = "https://attack.mitre.org/techniques/T1187/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

Loading