Potential Local NTLM Relay via HTTP

  1[metadata]
  2creation_date = "2022/04/30"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to coerce local NTLM authentication over HTTP through WebDAV named-pipe paths such as
 11Print Spooler or SRVSVC. Adversaries can combine this primitive with relay tooling to elevate privileges.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Local NTLM Relay via HTTP"
 28references = [
 29    "https://github.com/med0x2e/NTLMRelay2Self",
 30    "https://github.com/topotam/PetitPotam",
 31    "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
 32]
 33risk_score = 73
 34rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
 35severity = "high"
 36tags = [
 37    "Domain: Endpoint",
 38    "OS: Windows",
 39    "Use Case: Threat Detection",
 40    "Tactic: Credential Access",
 41    "Tactic: Defense Evasion",
 42    "Data Source: Elastic Endgame",
 43    "Data Source: Elastic Defend",
 44    "Data Source: Windows Security Event Logs",
 45    "Data Source: Microsoft Defender XDR",
 46    "Data Source: Sysmon",
 47    "Data Source: SentinelOne",
 48    "Data Source: Crowdstrike",
 49    "Resources: Investigation Guide",
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53
 54query = '''
 55process where host.os.type == "windows" and event.type == "start" and
 56  process.name : "rundll32.exe" and
 57
 58  /* Rundll32 WbeDav Client  */
 59  process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
 60
 61  /* Access to named pipe via http */
 62  process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
 63'''
 64
 65note = """## Triage and analysis
 66
 67### Investigating Potential Local NTLM Relay via HTTP
 68
 69#### Possible investigation steps
 70
 71- Does the alert-local command line confirm WebDAV-to-named-pipe relay behavior?
 72  - Focus: `process.command_line` and `process.executable`; confirm rundll32.exe loads davclnt.dll,DavSetCookie and targets HTTP pipe paths: /print/pipe/, /pipe/spoolss, or /pipe/srvsvc.
 73  - Implication: escalate when one command combines DavSetCookie with HTTP named-pipe paths, matching NTLMRelay2Self and printerbug-style coercion; close only when exact `process.command_line`, `user.id`, and `host.id` tie to authorized relay testing or explicit WebDAV/print diagnostics intentionally exercising this path.
 74
 75- Is the binary identity and launch chain consistent with the relay context?
 76  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.parent.executable`, and `process.parent.command_line`.
 77  - Implication: escalate when rundll32.exe is renamed, outside a Windows system path, launched by a script, document, remote-management, or user-writable parent, or signer-mismatched; lower suspicion only when identity and parent chain match the authorized test or diagnostic workflow. Identity alone does not clear relay behavior.
 78
 79- Did the process contact the HTTP listener implied by the relay path?
 80  - Focus: if endpoint network telemetry exists, recover process network events with `host.id` plus `process.entity_id`; fallback to `host.id` plus `process.pid` in a tight window. Read DNS via `dns.question.name`; connections via `destination.ip` and `destination.port`. $investigate_2
 81  - Hint: compare destinations to the HTTP host in `process.command_line`; loopback, same-host aliases, private listeners, or unexpected external HTTP infrastructure are decisive.
 82  - Implication: escalate when traffic reaches the listener named by the relay command or an unexplained HTTP endpoint. Missing endpoint network or DNS telemetry is unresolved, not benign.
 83
 84- Did authentication events explain the local rundll32 session or relay follow-on?
 85  - Why: the process alert proves relay intent; Windows Security events can explain the operator session, while relay proof may surface as inbound NTLM on this host, target-host authentication, or DC-side validation.
 86  - Focus: for local session context, bridge `process.Ext.authentication_id` to same-host `winlog.event_data.TargetLogonId`; on 4624, read `winlog.event_data.AuthenticationPackageName` and `source.ip`. $investigate_3
 87  - Hint: for relay proof, search same-host inbound NTLM without `user.id`, target-host 4624/4625, and DC-side 4776 using the listener, reconstructed targets, or source addresses from command/network evidence. Search 4648 on `winlog.event_data.SubjectLogonId` only for explicit credentials from the local session.
 88  - Implication: escalate when the local session origin is unexplained, same-host inbound NTLM appears around the alert, or target/DC authentication shows coerced machine or service-account use tied to the listener or targets. Missing authentication telemetry is unresolved, not benign.
 89
 90- Is there follow-on execution, tooling, or repeated coercion around the process?
 91  - Focus: child processes where `process.parent.entity_id` matches `process.entity_id`, reading `process.Ext.token.integrity_level_name`; if endpoint file telemetry exists, recover files with `host.id` plus `process.entity_id`, or `host.id` plus `process.pid` in a tight window, then read `file.path`. $investigate_4
 92  - Hint: look for command lines or artifacts naming PetitPotam, printerbug, NTLMRelay2Self, ntlmrelayx, shadow credentials, RBCD, or WebClient/Print Spooler preparation.
 93  - Implication: escalate when the window shows dropped tools, secondary scripts, repeated rundll32.exe relay attempts, privileged child processes, or WebClient/Print Spooler preparation. Missing endpoint file telemetry limits corroboration, not the alert-local finding.
 94
 95- If local evidence is suspicious or unresolved, do related alerts change scope?
 96  - Focus: related alerts for `user.id` covering credential access, relay testing, privilege escalation, or lateral movement. $investigate_0
 97  - Hint: compare related alerts for `host.id` for spooler abuse, WebClient activity, remote execution, NTLM relay, or coercion patterns. $investigate_1
 98  - Implication: broaden when either pivot shows repeated relay/coercion or credential-access activity outside the authorized test or diagnostic; keep local when both stay confined to that activity.
 99
100- Escalate when relay-path arguments plus binary lineage, listener contact, NTLM/auth evidence, follow-on tooling, or related alerts indicate unauthorized relay; close only when alert-local evidence and supported recovery fit one authorized workflow; preserve and escalate if evidence is mixed or incomplete.
101
102### False positive analysis
103
104- Authorized red-team, purple-team, relay-lab validation, or explicit WebDAV/print diagnostics can trigger this rule. Confirm that `process.command_line`, `process.parent.executable`, `user.id`, `host.id`, destination evidence if available, and authentication evidence all align with that activity. Routine WebDAV or print troubleshooting is insufficient unless it explains the DavSetCookie-to-HTTP-pipe pattern.
105- Without workflow records, require a telemetry-only match across prior alerts from this rule: same `process.parent.executable`, exact `process.command_line` pattern, `user.id`, `host.id`, and supported destination or authentication pattern. Build exceptions only from that full workflow; avoid exceptions on rundll32.exe, davclnt.dll, or the pipe path alone.
106
107### Response and remediation
108
109- If confirmed benign, release temporary containment and document the workflow anchors: `process.executable`, `process.parent.executable`, exact `process.command_line`, `user.id`, `host.id`, and the recovered destination or authentication evidence. Create an exception only when the same full workflow recurs across prior alerts from this rule.
110- If suspicious but unconfirmed, preserve the alert details, `process.entity_id` or `process.pid`, `process.command_line`, `process.parent.command_line`, process tree, recovered network or DNS records, Windows Security records, and file artifacts before containment. Apply reversible containment first, such as temporary HTTP/WebDAV restrictions or heightened monitoring on the host; isolate only if repeated relay attempts, corroborating NTLM activity, follow-on execution, or exposure on a domain controller, print server, or jump host raises the risk and the asset can tolerate isolation.
111- If confirmed malicious, preserve the command line, process tree, listener details, authentication records, and dropped artifacts first. Then isolate the host through endpoint response when the evidence establishes unauthorized relay, and kill or suspend the responsible process if it is still active. Block confirmed malicious listeners, path fragments, hashes, or follow-on tools before cleanup.
112- If investigation shows successful relay or privileged machine/service-account use, review and rotate affected credentials or secrets according to privilege tier, and coordinate disruptive identity or infrastructure changes before acting on domain controllers, print servers, or jump hosts.
113- Before eradication, scope the same command fragment, listener, `user.id`, `host.id`, authentication indicators, and adjacent tooling across other hosts and sessions so evidence is not destroyed before spread is understood. Then remove the relay tooling and harden the exposed path, including unnecessary WebClient or Print Spooler exposure, NTLM relay mitigations, and service-specific controls identified during the investigation.
114- Post-incident hardening: retain process, endpoint network, endpoint file, and Windows Security telemetry needed for this correlation, and document adjacent PetitPotam, printerbug, NTLMRelay2Self, or alternate coercion evidence for future triage.
115"""
116
117setup = """## Setup
118
119This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
120
121Setup instructions: https://ela.st/install-elastic-defend
122
123### Additional data sources
124
125This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
126
127- [CrowdStrike](https://ela.st/crowdstrike-integration)
128- [Microsoft Defender XDR](https://ela.st/m365-defender)
129- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
130- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
131- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
132"""
133
134[rule.investigation_fields]
135field_names = [
136    "@timestamp",
137    "host.id",
138    "host.name",
139    "user.id",
140    "user.name",
141    "process.entity_id",
142    "process.pid",
143    "process.executable",
144    "process.command_line",
145    "process.pe.original_file_name",
146    "process.parent.executable",
147    "process.parent.command_line",
148    "process.code_signature.subject_name",
149    "process.code_signature.trusted",
150    "process.Ext.authentication_id",
151]
152
153[transform]
154
155[[transform.investigate]]
156label = "Alerts associated with the user"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
161    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
162  ]
163]
164relativeFrom = "now-48h/h"
165relativeTo = "now"
166
167[[transform.investigate]]
168label = "Alerts associated with the host"
169description = ""
170providers = [
171  [
172    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
174  ]
175]
176relativeFrom = "now-48h/h"
177relativeTo = "now"
178
179[[transform.investigate]]
180label = "Network events for the relay process"
181description = ""
182providers = [
183  [
184    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
185    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
186    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
187  ]
188]
189relativeFrom = "now-1h"
190relativeTo = "now"
191
192[[transform.investigate]]
193label = "Windows Security events for the local process session"
194description = ""
195providers = [
196  [
197    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
198    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{process.Ext.authentication_id}}", valueType = "string" },
199    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
200  ],
201  [
202    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
203    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{process.Ext.authentication_id}}", valueType = "string" },
204    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" }
205  ]
206]
207relativeFrom = "now-24h"
208relativeTo = "now"
209
210[[transform.investigate]]
211label = "Child process events for the relay process"
212description = ""
213providers = [
214  [
215    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
216    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
217    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
218  ]
219]
220relativeFrom = "now-1h"
221relativeTo = "now"
222
223[[rule.threat]]
224framework = "MITRE ATT&CK"
225
226[[rule.threat.technique]]
227id = "T1187"
228name = "Forced Authentication"
229reference = "https://attack.mitre.org/techniques/T1187/"
230
231[[rule.threat.technique]]
232id = "T1212"
233name = "Exploitation for Credential Access"
234reference = "https://attack.mitre.org/techniques/T1212/"
235
236[[rule.threat.technique]]
237id = "T1557"
238name = "Adversary-in-the-Middle"
239reference = "https://attack.mitre.org/techniques/T1557/"
240
241[rule.threat.tactic]
242id = "TA0006"
243name = "Credential Access"
244reference = "https://attack.mitre.org/tactics/TA0006/"
245
246[[rule.threat]]
247framework = "MITRE ATT&CK"
248
249[[rule.threat.technique]]
250id = "T1218"
251name = "System Binary Proxy Execution"
252reference = "https://attack.mitre.org/techniques/T1218/"
253
254[[rule.threat.technique.subtechnique]]
255id = "T1218.011"
256name = "Rundll32"
257reference = "https://attack.mitre.org/techniques/T1218/011/"
258
259[rule.threat.tactic]
260id = "TA0005"
261name = "Defense Evasion"
262reference = "https://attack.mitre.org/tactics/TA0005/"