Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain.
Sigma rule (View on GitHub)
1title: Metasploit SMB Authentication
2id: 72124974-a68b-4366-b990-d30e0b2a190d
3status: test
4description: Alerts on Metasploit host's authentications on the domain.
5references:
6 - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
7author: Chakib Gzenayi (@Chak092), Hosni Mribah
8date: 2020-05-06
9modified: 2024-01-25
10tags:
11 - attack.lateral-movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16detection:
17 selection1:
18 EventID:
19 - 4625
20 - 4624
21 LogonType: 3
22 AuthenticationPackageName: 'NTLM'
23 WorkstationName|re: '^[A-Za-z0-9]{16}$'
24 selection2:
25 EventID: 4776
26 Workstation|re: '^[A-Za-z0-9]{16}$'
27 condition: 1 of selection*
28falsepositives:
29 - Linux hostnames composed of 16 characters.
30level: high
References
-
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
Read More
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe