Potential Local NTLM Relay via HTTP
Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/30"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
13An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Local NTLM Relay via HTTP"
30references = [
31 "https://github.com/med0x2e/NTLMRelay2Self",
32 "https://github.com/topotam/PetitPotam",
33 "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
34]
35risk_score = 73
36rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
37severity = "high"
38tags = [
39 "Domain: Endpoint",
40 "OS: Windows",
41 "Use Case: Threat Detection",
42 "Tactic: Credential Access",
43 "Tactic: Defense Evasion",
44 "Data Source: Elastic Endgame",
45 "Data Source: Elastic Defend",
46 "Data Source: System",
47 "Data Source: Microsoft Defender for Endpoint",
48 "Data Source: Sysmon",
49 "Data Source: SentinelOne",
50 "Data Source: Crowdstrike",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and
57 process.name : "rundll32.exe" and
58
59 /* Rundll32 WbeDav Client */
60 process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
61
62 /* Access to named pipe via http */
63 process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
64'''
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1212"
71name = "Exploitation for Credential Access"
72reference = "https://attack.mitre.org/techniques/T1212/"
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1218"
83name = "System Binary Proxy Execution"
84reference = "https://attack.mitre.org/techniques/T1218/"
85[[rule.threat.technique.subtechnique]]
86id = "T1218.011"
87name = "Rundll32"
88reference = "https://attack.mitre.org/techniques/T1218/011/"
89
90
91
92[rule.threat.tactic]
93id = "TA0005"
94name = "Defense Evasion"
95reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
Kerberos unconstrained delegation abuse toolkit. Contribute to dirkjanm/krbrelayx development by creating an account on GitHub.
Read More
Related rules
- Disable Windows Firewall Rules via Netsh
- Suspicious .NET Code Compilation
- Potential Credential Access via Windows Utilities
- Attempt to Establish VScode Remote Tunnel
- Creation or Modification of Domain Backup DPAPI private key