Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Potential Relay Attack against a Domain Controller #3928

Merged
merged 4 commits into from
Aug 2, 2024
Merged

[New Rule] Potential Relay Attack against a Domain Controller #3928

merged 4 commits into from
Aug 2, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jul 25, 2024

Issue

Part of #3544

Summary

Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.

Data

Events/Sample Data 
{
  "_index": ".ds-logs-system.security-default-2024.07.02-000028",
  "_id": "mI115ZABiLqpmBCYFlys",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "type": "filebeat",
      "ephemeral_id": "dc8646cb-c8d3-48b9-b474-f3615a39f136",
      "version": "8.14.2"
    },
    "process": {
      "name": "-",
      "pid": 0,
      "executable": "-"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 748,
        "thread": {
          "id": 6668
        }
      },
      "keywords": [
        "Audit Failure"
      ],
      "logon": {
        "failure": {
          "reason": "An Error occured during Logon.",
          "sub_status": "Status OK.",
          "status": "This is either due to a bad username or authentication information"
        },
        "id": "0x0",
        "type": "Network"
      },
      "channel": "Security",
      "event_data": {
        "Status": "0xc000006d",
        "LogonType": "3",
        "TransmittedServices": "-",
        "SubjectLogonId": "0x0",
        "LmPackageName": "-",
        "KeyLength": "0",
        "SubjectUserName": "-",
        "FailureReason": "%%2304",
        "SubjectDomainName": "-",
        "TargetUserName": "KINGSLANDING$",
        "SubStatus": "0x0",
        "TargetDomainName": "SEVENKINGDOMS",
        "SubjectUserSid": "S-1-0-0",
        "AuthenticationPackageName": "NTLM",
        "TargetUserSid": "S-1-0-0"
      },
      "opcode": "Info",
      "record_id": "6133666",
      "event_id": "4625",
      "task": "Logon",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "version": "8.14.2",
      "snapshot": false
    },
    "source": {
      "port": 35769,
      "ip": "192.168.56.200",
      "domain": "KINGSLANDING"
    },
    "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tKINGSLANDING$\n\tAccount Domain:\t\tSEVENKINGDOMS\n\nFailure Information:\n\tFailure Reason:\t\tAn Error occured during Logon.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0x0\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\tKINGSLANDING\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t35769\n\nDetailed Authentication Information:\n\tLogon Process:\t\t\n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-07-24T15:56:21.917Z",
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "192.168.56.200"
      ],
      "user": [
        "KINGSLANDING$"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.6054",
        "kernel": "10.0.17763.6054 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.56.10",
        "192.168.133.195"
      ],
      "name": "kingslanding",
      "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9",
      "mac": [
        "00-0C-29-F8-CF-09",
        "00-0C-29-F8-CF-FF"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-07-24T15:56:14Z",
      "code": "4625",
      "provider": "Microsoft-Windows-Security-Auditing",
      "kind": "event",
      "created": "2024-07-24T15:56:23.006Z",
      "action": "logon-failed",
      "category": [
        "authentication"
      ],
      "type": [
        "start"
      ],
      "dataset": "system.security",
      "outcome": "failure"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "KINGSLANDING$",
      "id": "S-1-0-0"
    }
  },
  "fields": {
    "winlog.event_data.AuthenticationPackageName": [
      "NTLM"
    ],
    "elastic_agent.version": [
      "8.14.2"
    ],
    "event.category": [
      "authentication"
    ],
    "process.name.text": [
      "-"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      0
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-F8-CF-09",
      "00-0C-29-F8-CF-FF"
    ],
    "winlog.process.pid": [
      748
    ],
    "winlog.event_data.KeyLength": [
      "0"
    ],
    "agent.name.text": [
      "kingslanding"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Failure"
    ],
    "winlog.record_id": [
      "6133666"
    ],
    "winlog.logon.id": [
      "0x0"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "winlog.logon.failure.reason": [
      "An Error occured during Logon."
    ],
    "winlog.logon.failure.sub_status": [
      "Status OK."
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "failure"
    ],
    "winlog.event_data.TargetUserName": [
      "KINGSLANDING$"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-0-0"
    ],
    "winlog.event_data.FailureReason": [
      "%%2304"
    ],
    "winlog.event_data.TargetUserSid": [
      "S-1-0-0"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "KINGSLANDING$"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "-"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "4625"
    ],
    "agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "source.port": [
      35769
    ],
    "winlog.event_data.TransmittedServices": [
      "-"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "winlog.event_data.LmPackageName": [
      "-"
    ],
    "event.created": [
      "2024-07-24T15:56:23.006Z"
    ],
    "agent.version": [
      "8.14.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-0-0"
    ],
    "winlog.process.thread.id": [
      6668
    ],
    "user.name": [
      "KINGSLANDING$"
    ],
    "source.domain": [
      "KINGSLANDING"
    ],
    "winlog.logon.failure.status": [
      "This is either due to a bad username or authentication information"
    ],
    "host.os.build": [
      "17763.6054"
    ],
    "host.ip": [
      "192.168.56.10",
      "192.168.133.195"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "-"
    ],
    "winlog.event_data.Status": [
      "0xc000006d"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x0"
    ],
    "related.ip": [
      "192.168.56.200"
    ],
    "host.os.kernel": [
      "10.0.17763.6054 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9"
    ],
    "process.executable": [
      "-"
    ],
    "winlog.task": [
      "Logon"
    ],
    "elastic_agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "-"
    ],
    "winlog.logon.type": [
      "Network"
    ],
    "message": [
      "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tKINGSLANDING$\n\tAccount Domain:\t\tSEVENKINGDOMS\n\nFailure Information:\n\tFailure Reason:\t\tAn Error occured during Logon.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0x0\n\nProcess Information:\n\tCaller Process ID:\t0x0\n\tCaller Process Name:\t-\n\nNetwork Information:\n\tWorkstation Name:\tKINGSLANDING\n\tSource Network Address:\t192.168.56.200\n\tSource Port:\t\t35769\n\nDetailed Authentication Information:\n\tLogon Process:\t\t\n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
    ],
    "winlog.event_id": [
      "4625"
    ],
    "event.action": [
      "logon-failed"
    ],
    "event.ingested": [
      "2024-07-24T15:56:14Z"
    ],
    "@timestamp": [
      "2024-07-24T15:56:21.917Z"
    ],
    "winlog.event_data.SubStatus": [
      "0x0"
    ],
    "winlog.channel": [
      "Security"
    ],
    "winlog.event_data.LogonType": [
      "3"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "start"
    ],
    "winlog.event_data.TargetDomainName": [
      "SEVENKINGDOMS"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "dc8646cb-c8d3-48b9-b474-f3615a39f136"
    ],
    "winlog.event_data.SubjectDomainName": [
      "-"
    ],
    "event.dataset": [
      "system.security"
    ],
    "user.name.text": [
      "KINGSLANDING$"
    ]
  }
}

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Jul 25, 2024
@w0rk3r w0rk3r self-assigned this Jul 25, 2024
@protectionsmachine
Copy link
Collaborator

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

brokensound77
brokensound77 reviewed Jul 25, 2024
View reviewed changes
rules/cross-platform/credential_access_dollar_account_relay.toml Outdated
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and

/* Filter for a machine account that matches the hostname */
startswith~(host.name, substring(user.name, 0, -1)) and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥 🔥

@w0rk3r w0rk3r mentioned this pull request Jul 30, 2024
Closed
Aegrah
Aegrah approved these changes Aug 2, 2024
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed some of this with Jon off-GH. Conclusions:

  • winlog.event_data.AuthenticationPackageName probably contains NTLMv1/v2
  • It does not cover multi-DC environment specifically, but that's not the intent

Cool stuff!

rules/windows/credential_access_dollar_account_relay.toml
Comment on lines +43 to +48
/* Filter for a machine account that matches the hostname */
startswith~(host.name, substring(user.name, 0, -1)) and

/* Verify if the Source IP belongs to the host */
not endswith(string(source.ip), string(host.ip)) and
source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧙‍♂️

@w0rk3r w0rk3r merged commit dfdc214 into main Aug 2, 2024
9 checks passed
@w0rk3r w0rk3r deleted the coerced_ntlm_relay branch August 2, 2024 16:03
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
6b6cbbc 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
8d1dbef 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
cb85800 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
aba457a 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
d117c5d 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
protectionsmachine pushed a commit that referenced this pull request Aug 2, 2024
@w0rk3r @github-actions
[New Rule] Potential Relay Attack against a Domain Controller (#3928)
8aac686 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

(cherry picked from commit dfdc214)
eric-forte-elastic added a commit that referenced this pull request Aug 5, 2024
@eric-forte-elastic @imays11
@Aegrah @w0rk3r @Mikaayenson
[DaC] [FR] Ndjson support for action connectors (#3955)
90643bf 
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910)

* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User

* increased severity score

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

* [Rule Tuning] System Binary Moved or Copied (#3933)

* [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947)

Co-authored-by: Mika Ayenson <[email protected]>

* [New Rule] Potential Relay Attack against a Domain Controller (#3928)

* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

* [Rule Tuning] AWS S3 Object Versioning Suspended (#3953)

* [Tuning] Executable Bit Set for Potential Persistence Script (#3929)

* [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935)

* [Rule Tuning] Accepted Default Telnet Port Connection (#3954)

Co-authored-by: Mika Ayenson <[email protected]>

* ndjson support for action connectors

* Add kibana API support for actions

* Minor typo

* Add actions connector support

* update rule formatter

* Fix typo

* [New Rule] Outlook Home Page Registry Modification (#3946)

* Fix typos

* Update docs and generated config

* Update all_versions

* Fix comments

---------

Co-authored-by: Isai <[email protected]>
Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Jonhnathan <[email protected]>
Co-authored-by: Mika Ayenson <[email protected]>
zsohamwag pushed a commit to zsohamwag/zsoham-detection-rules that referenced this pull request Sep 13, 2024
@w0rk3r @zsohamwag
[New Rule] Potential Relay Attack against a Domain Controller (elasti…
079eed2 
…c#3928)

* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 left review comments

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Aegrah Aegrah Aegrah approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Samirbous Samirbous Awaiting requested review from Samirbous

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@w0rk3r @protectionsmachine @brokensound77 @Aegrah @terrancedejesus