Potential Local NTLM Relay via HTTP

 1[metadata]
 2creation_date = "2022/04/30"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target.
13An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Local NTLM Relay via HTTP"
20references = [
21    "https://github.com/med0x2e/NTLMRelay2Self",
22    "https://github.com/topotam/PetitPotam",
23    "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py",
24]
25risk_score = 73
26rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6"
27severity = "high"
28tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34  process.name : "rundll32.exe" and
35
36  /* Rundll32 WbeDav Client  */
37  process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and
38
39  /* Access to named pipe via http */
40  process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1212"
48name = "Exploitation for Credential Access"
49reference = "https://attack.mitre.org/techniques/T1212/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"