Potential Relay Attack against a Domain Controller

Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/07/24"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/08/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
11domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
12hash after capturing it using forced authentication.
13"""
14from = "now-9m"
15index = ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Relay Attack against a Domain Controller"
19references = [
20    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
21    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
22    "https://attack.mitre.org/techniques/T1187/",
23]
24risk_score = 21
25rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
26severity = "low"
27tags = [
28    "Domain: Endpoint",
29    "OS: Windows",
30    "Use Case: Threat Detection",
31    "Tactic: Credential Access",
32    "Data Source: Elastic Defend",
33    "Data Source: Active Directory",
34    "Use Case: Active Directory Monitoring",
35    "Data Source: System",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
42    winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and
43
44    /* Filter for a machine account that matches the hostname */
45    startswith~(host.name, substring(user.name, 0, -1)) and
46    
47    /* Verify if the Source IP belongs to the host */
48    not endswith(string(source.ip), string(host.ip)) and
49    source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1187"
57name = "Forced Authentication"
58reference = "https://attack.mitre.org/techniques/T1187/"
59
60[[rule.threat.technique]]
61id = "T1557"
62name = "Adversary-in-the-Middle"
63reference = "https://attack.mitre.org/techniques/T1557/"
64[[rule.threat.technique.subtechnique]]
65id = "T1557.001"
66name = "LLMNR/NBT-NS Poisoning and SMB Relay"
67reference = "https://attack.mitre.org/techniques/T1557/001/"
68
69
70[rule.threat.tactic]
71id = "TA0006"
72name = "Credential Access"
73reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top