Potential Relay Attack against a Domain Controller
Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/07/24"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
13domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
14hash after capturing it using forced authentication.
15"""
16from = "now-9m"
17index = ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Relay Attack against a Domain Controller"
21references = [
22 "https://github.com/p0dalirius/windows-coerced-authentication-methods",
23 "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
24 "https://attack.mitre.org/techniques/T1187/",
25]
26risk_score = 21
27rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
28severity = "low"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Credential Access",
34 "Data Source: Elastic Defend",
35 "Data Source: Active Directory",
36 "Use Case: Active Directory Monitoring",
37 "Data Source: System",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
44 winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and
45
46 /* Filter for a machine account that matches the hostname */
47 startswith~(host.name, substring(user.name, 0, -1)) and
48
49 /* Verify if the Source IP belongs to the host */
50 not endswith(string(source.ip), string(host.ip)) and
51 source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1187"
59name = "Forced Authentication"
60reference = "https://attack.mitre.org/techniques/T1187/"
61
62[[rule.threat.technique]]
63id = "T1557"
64name = "Adversary-in-the-Middle"
65reference = "https://attack.mitre.org/techniques/T1557/"
66[[rule.threat.technique.subtechnique]]
67id = "T1557.001"
68name = "LLMNR/NBT-NS Poisoning and SMB Relay"
69reference = "https://attack.mitre.org/techniques/T1557/001/"
70
71
72[rule.threat.tactic]
73id = "TA0006"
74name = "Credential Access"
75reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols. - GitHub - p0dalirius/windows-coerced-...
Read More -
Comprehensive cybersecurity guides and strategies for ethical hacking and penetration testing
Read More -
DS0022 File File Access Monitor for access to files that may indicate attempts to coerce a user into providing authentication information. Analytic 1 - Suspicious access to files known to be used f...
Read More
Related rules
- Active Directory Forced Authentication from Linux Host - SMB Named Pipes
- Access to a Sensitive LDAP Attribute
- Creation of a DNS-Named Record
- Potential ADIDNS Poisoning via Wildcard Record Creation
- Potential Credential Access via DCSync