Potential Local NTLM Relay via HTTP
Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/30"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
11An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Local NTLM Relay via HTTP"
24references = [
25 "https://github.com/med0x2e/NTLMRelay2Self",
26 "https://github.com/topotam/PetitPotam",
27 "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
28]
29risk_score = 73
30rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
31severity = "high"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Credential Access",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: System",
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where host.os.type == "windows" and event.type == "start" and
47 process.name : "rundll32.exe" and
48
49 /* Rundll32 WbeDav Client */
50 process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
51
52 /* Access to named pipe via http */
53 process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1212"
61name = "Exploitation for Credential Access"
62reference = "https://attack.mitre.org/techniques/T1212/"
63
64
65[rule.threat.tactic]
66id = "TA0006"
67name = "Credential Access"
68reference = "https://attack.mitre.org/tactics/TA0006/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1218"
73name = "System Binary Proxy Execution"
74reference = "https://attack.mitre.org/techniques/T1218/"
75[[rule.threat.technique.subtechnique]]
76id = "T1218.011"
77name = "Rundll32"
78reference = "https://attack.mitre.org/techniques/T1218/011/"
79
80
81
82[rule.threat.tactic]
83id = "TA0005"
84name = "Defense Evasion"
85reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
Kerberos unconstrained delegation abuse toolkit. Contribute to dirkjanm/krbrelayx development by creating an account on GitHub.
Read More
Related rules
- Potential Credential Access via Windows Utilities
- Potential Veeam Credential Access Command
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer