Active Directory Forced Authentication from Linux Host - SMB Named Pipes
Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/23"
3integration = ["endpoint", "system"]
4maturity = "production"
5updated_date = "2024/10/01"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
11authenticate to a host controlled by them to capture hashes or enable relay attacks.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes"
18references = [
19 "https://github.com/p0dalirius/windows-coerced-authentication-methods",
20 "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
21 "https://attack.mitre.org/techniques/T1187/",
22]
23risk_score = 47
24rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
25setup = """## Setup
26
27This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
28for correlation. Both data sources should be collected from the hosts for this detection to work.
29
30The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
31Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Audit Detailed File Share (Success,Failure)
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "OS: Linux",
7 "Use Case: Threat Detection",
8 "Tactic: Credential Access",
9 "Data Source: Elastic Defend",
10 "Data Source: Active Directory",
11 "Use Case: Active Directory Monitoring",
12 "Data Source: System",
13]
14timestamp_override = "event.ingested"
15type = "eql"
16
17query = '''
18sequence with maxspan=15s
19[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
20[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
21'''
22
23
24[[rule.threat]]
25framework = "MITRE ATT&CK"
26[[rule.threat.technique]]
27id = "T1187"
28name = "Forced Authentication"
29reference = "https://attack.mitre.org/techniques/T1187/"
30
31
32[rule.threat.tactic]
33id = "TA0006"
34name = "Credential Access"
35reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Suspicious Module Loaded by LSASS
- LSASS Process Access via Windows API
- Suspicious File Downloaded from Google Drive
- Windows Registry File Creation in SMB Share
- Sensitive Registry Hive Access via RegBack