security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential Relay Attack against a Domain Controller (#3928)

Browse Source 
* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder
This commit is contained in:
Jonhnathan
2024-08-02 13:03:20 -03:00
committed by GitHub
parent 8d3ec2b8a3
commit dfdc214be8
1 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_dollar_account_relay.toml
+73
View File
@@ -0,0 +1,73 @@
[metadata]
creation_date = "2024/07/24"
integration = ["system", "windows"]
maturity = "production"
updated_date = "2024/07/24"
[rule]
author = ["Elastic"]
description = """
Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
hash after capturing it using forced authentication.
"""
from = "now-9m"
index = ["logs-system.security-*", "logs-windows.forwarded*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Relay Attack against a Domain Controller"
references = [
"https://github.com/p0dalirius/windows-coerced-authentication-methods",
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
"https://attack.mitre.org/techniques/T1187/",
]
risk_score = 21
rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Data Source: Active Directory",
"Use Case: Active Directory Monitoring",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and
/* Filter for a machine account that matches the hostname */
startswith~(host.name, substring(user.name, 0, -1)) and
/* Verify if the Source IP belongs to the host */
not endswith(string(source.ip), string(host.ip)) and
source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1187"
name = "Forced Authentication"
reference = "https://attack.mitre.org/techniques/T1187/"
[[rule.threat.technique]]
id = "T1557"
name = "Adversary-in-the-Middle"
reference = "https://attack.mitre.org/techniques/T1557/"
[[rule.threat.technique.subtechnique]]
id = "T1557.001"
name = "LLMNR/NBT-NS Poisoning and SMB Relay"
reference = "https://attack.mitre.org/techniques/T1557/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"