Potential Local NTLM Relay via HTTP
Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/30"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
13An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Local NTLM Relay via HTTP"
20references = [
21 "https://github.com/med0x2e/NTLMRelay2Self",
22 "https://github.com/topotam/PetitPotam",
23 "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
24]
25risk_score = 73
26rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
27severity = "high"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion","Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34 process.name : "rundll32.exe" and
35
36 /* Rundll32 WbeDav Client */
37 process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
38
39 /* Access to named pipe via http */
40 process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1212"
48name = "Exploitation for Credential Access"
49reference = "https://attack.mitre.org/techniques/T1212/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1218"
61name = "System Binary Proxy Execution"
62reference = "https://attack.mitre.org/techniques/T1218/"
63[[rule.threat.technique.subtechnique]]
64id = "T1218.011"
65name = "Rundll32"
66reference = "https://attack.mitre.org/techniques/T1218/011/"
67
68[rule.threat.tactic]
69id = "TA0005"
70name = "Defense Evasion"
71reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
Kerberos unconstrained delegation abuse toolkit. Contribute to dirkjanm/krbrelayx development by creating an account on GitHub.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Potential Credential Access via Windows Utilities
- Potential Veeam Credential Access Command
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL