From 04673ea5c2abf5a2ddd72d1edb046d11074d59aa Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 25 Jul 2024 11:54:21 -0300
Subject: [PATCH 1/3] [New Rule] Potential Relay Attack against a Domain
 Controller

---
 ...redential_access_dollar_account_relay.toml | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 rules/cross-platform/credential_access_dollar_account_relay.toml

diff --git a/rules/cross-platform/credential_access_dollar_account_relay.toml b/rules/cross-platform/credential_access_dollar_account_relay.toml
new file mode 100644
index 00000000000..901b3e76749
--- /dev/null
+++ b/rules/cross-platform/credential_access_dollar_account_relay.toml
@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2024/07/24"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2024/07/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
+domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
+hash after capturing it using forced authentication
+"""
+from = "now-9m"
+index = ["logs-system.security-*", "logs-windows.forwarded*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Relay Attack against a Domain Controller"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 21
+rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
+    winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and
+
+    /* Filter for a machine account that matches the hostname */
+    startswith~(host.name, substring(user.name, 0, -1)) and
+    
+    /* Verify if the Source IP belongs to the host */
+    not endswith(string(source.ip), string(host.ip)) and
+    source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+[[rule.threat.technique.subtechnique]]
+id = "T1557.001"
+name = "LLMNR/NBT-NS Poisoning and SMB Relay"
+reference = "https://attack.mitre.org/techniques/T1557/001/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

From fc2ec40c6e4a005b4b5ff301d5c91a810f7015c4 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 25 Jul 2024 12:01:08 -0300
Subject: [PATCH 2/3] Update credential_access_dollar_account_relay.toml

---
 .../cross-platform/credential_access_dollar_account_relay.toml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cross-platform/credential_access_dollar_account_relay.toml b/rules/cross-platform/credential_access_dollar_account_relay.toml
index 901b3e76749..6e490b1eaf2 100644
--- a/rules/cross-platform/credential_access_dollar_account_relay.toml
+++ b/rules/cross-platform/credential_access_dollar_account_relay.toml
@@ -9,7 +9,7 @@ author = ["Elastic"]
 description = """
 Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
 domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
-hash after capturing it using forced authentication
+hash after capturing it using forced authentication.
 """
 from = "now-9m"
 index = ["logs-system.security-*", "logs-windows.forwarded*"]

From bd67dc2eb72097296bf2a5638e65ab32d4152792 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 29 Jul 2024 14:56:30 -0300
Subject: [PATCH 3/3] Move to the correct folder

---
 .../credential_access_dollar_account_relay.toml                  | 1 -
 1 file changed, 1 deletion(-)
 rename rules/{cross-platform => windows}/credential_access_dollar_account_relay.toml (99%)

diff --git a/rules/cross-platform/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml
similarity index 99%
rename from rules/cross-platform/credential_access_dollar_account_relay.toml
rename to rules/windows/credential_access_dollar_account_relay.toml
index 6e490b1eaf2..d4876f833fa 100644
--- a/rules/cross-platform/credential_access_dollar_account_relay.toml
+++ b/rules/windows/credential_access_dollar_account_relay.toml
@@ -27,7 +27,6 @@ severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
-    "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
     "Data Source: Elastic Defend",