Potential Local NTLM Relay via HTTP
Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/30"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
11An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Local NTLM Relay via HTTP"
24references = [
25 "https://github.com/med0x2e/NTLMRelay2Self",
26 "https://github.com/topotam/PetitPotam",
27 "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
28]
29risk_score = 73
30rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
31severity = "high"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Credential Access",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 process.name : "rundll32.exe" and
47
48 /* Rundll32 WbeDav Client */
49 process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
50
51 /* Access to named pipe via http */
52 process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1212"
60name = "Exploitation for Credential Access"
61reference = "https://attack.mitre.org/techniques/T1212/"
62
63
64[rule.threat.tactic]
65id = "TA0006"
66name = "Credential Access"
67reference = "https://attack.mitre.org/tactics/TA0006/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1218"
72name = "System Binary Proxy Execution"
73reference = "https://attack.mitre.org/techniques/T1218/"
74[[rule.threat.technique.subtechnique]]
75id = "T1218.011"
76name = "Rundll32"
77reference = "https://attack.mitre.org/techniques/T1218/011/"
78
79
80
81[rule.threat.tactic]
82id = "TA0005"
83name = "Defense Evasion"
84reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
-
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - topotam/PetitPotam
Read More -
Kerberos unconstrained delegation abuse toolkit. Contribute to dirkjanm/krbrelayx development by creating an account on GitHub.
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Potential Credential Access via Windows Utilities
- Potential Veeam Credential Access Command
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL