Potential Local NTLM Relay via HTTP

  1[metadata]
  2creation_date = "2022/04/30"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
 11An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Local NTLM Relay via HTTP"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Potential Local NTLM Relay via HTTP
 34
 35NTLM, a suite of Microsoft security protocols, is often targeted by adversaries for credential theft. Attackers may exploit the Windows Printer Spooler service to coerce NTLM authentication over HTTP, potentially elevating privileges. The detection rule identifies suspicious rundll32.exe executions invoking WebDAV client DLLs with specific arguments, signaling attempts to access named pipes via HTTP, indicative of NTLM relay attacks.
 36
 37### Possible investigation steps
 38
 39- Review the process execution details for rundll32.exe, focusing on the specific arguments related to davclnt.dll and DavSetCookie, to confirm the presence of suspicious WebDAV client activity.
 40- Investigate the network connections initiated by the rundll32.exe process to identify any HTTP requests targeting named pipes, such as those containing "/print/pipe/", "/pipe/spoolss", or "/pipe/srvsvc".
 41- Check the system's event logs for any related authentication attempts or failures around the time of the alert to identify potential NTLM relay activity.
 42- Analyze the history of the Windows Printer Spooler service on the affected host to determine if it has been recently manipulated or exploited.
 43- Correlate the alert with other security events or alerts from data sources like Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or patterns.
 44- Assess the user account associated with the NTLM authentication attempt to determine if it has been compromised or is being used in an unauthorized manner.
 45
 46### False positive analysis
 47
 48- Legitimate administrative tasks using rundll32.exe with WebDAV client DLLs may trigger the rule. Review the context of the execution, such as the user account and the timing, to determine if it aligns with expected administrative activities.
 49- Automated software deployment or update processes might use similar rundll32.exe calls. Verify if the process is part of a scheduled or known deployment task and consider excluding these specific processes from the rule.
 50- Some third-party applications may use WebDAV for legitimate purposes, which could mimic the behavior detected by the rule. Identify these applications and create exceptions for their known processes to prevent false alerts.
 51- System maintenance scripts or tools that interact with network resources via HTTP might inadvertently match the rule's criteria. Ensure these scripts are documented and exclude them if they are verified as non-threatening.
 52- Regularly review and update the exclusion list to accommodate changes in legitimate software behavior, ensuring that only verified false positives are excluded to maintain the rule's effectiveness.
 53
 54### Response and remediation
 55
 56- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 57- Terminate any suspicious rundll32.exe processes identified in the alert to stop ongoing malicious activity.
 58- Conduct a thorough review of the affected system's event logs and network traffic to identify any additional indicators of compromise or related malicious activity.
 59- Reset credentials for any accounts that may have been exposed or compromised during the attack to prevent unauthorized access.
 60- Apply the latest security patches and updates to the Windows Printer Spooler service and related components to mitigate known vulnerabilities.
 61- Implement network segmentation to limit the exposure of critical services and reduce the risk of similar attacks in the future.
 62- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
 63references = [
 64    "https://github.com/med0x2e/NTLMRelay2Self",
 65    "https://github.com/topotam/PetitPotam",
 66    "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
 67]
 68risk_score = 73
 69rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
 70severity = "high"
 71tags = [
 72    "Domain: Endpoint",
 73    "OS: Windows",
 74    "Use Case: Threat Detection",
 75    "Tactic: Credential Access",
 76    "Tactic: Defense Evasion",
 77    "Data Source: Elastic Endgame",
 78    "Data Source: Elastic Defend",
 79    "Data Source: Windows Security Event Logs",
 80    "Data Source: Microsoft Defender for Endpoint",
 81    "Data Source: Sysmon",
 82    "Data Source: SentinelOne",
 83    "Data Source: Crowdstrike",
 84    "Resources: Investigation Guide",
 85]
 86timestamp_override = "event.ingested"
 87type = "eql"
 88
 89query = '''
 90process where host.os.type == "windows" and event.type == "start" and
 91  process.name : "rundll32.exe" and
 92
 93  /* Rundll32 WbeDav Client  */
 94  process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
 95
 96  /* Access to named pipe via http */
 97  process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
 98'''
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1212"
105name = "Exploitation for Credential Access"
106reference = "https://attack.mitre.org/techniques/T1212/"
107
108
109[rule.threat.tactic]
110id = "TA0006"
111name = "Credential Access"
112reference = "https://attack.mitre.org/tactics/TA0006/"
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1218"
117name = "System Binary Proxy Execution"
118reference = "https://attack.mitre.org/techniques/T1218/"
119[[rule.threat.technique.subtechnique]]
120id = "T1218.011"
121name = "Rundll32"
122reference = "https://attack.mitre.org/techniques/T1218/011/"
123
124
125
126[rule.threat.tactic]
127id = "TA0005"
128name = "Defense Evasion"
129reference = "https://attack.mitre.org/tactics/TA0005/"