Potential Relay Attack against a Domain Controller

edit

Potential Relay Attack against a Domain Controller

edit

Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.

Rule type: eql

Rule indices:

  • logs-system.security-*
  • logs-windows.forwarded*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Data Source: Elastic Defend
  • Data Source: Active Directory
  • Use Case: Active Directory Monitoring

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
    winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and

    /* Filter for a machine account that matches the hostname */
    startswith~(host.name, substring(user.name, 0, -1)) and

    /* Verify if the Source IP belongs to the host */
    not endswith(string(source.ip), string(host.ip)) and
    source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"

Framework: MITRE ATT&CKTM