IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Untrusted DLL Loaded by Azure AD Sync Service Potential File Transfer via Certreq »

› ›

Active Directory Forced Authentication from Linux Host - SMB Named Pipes

edit

Active Directory Forced Authentication from Linux Host - SMB Named Pipes

edit

Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.

Rule type: eql

Rule indices:

logs-endpoint.events.network-*
logs-system.security-*
winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Windows
OS: Linux
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Active Directory
Use Case: Active Directory Monitoring
Data Source: System

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Setup

edit

Setup

This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers for correlation. Both data sources should be collected from the hosts for this detection to work.

The Audit Detailed File Share audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)

Rule query

edit

sequence with maxspan=15s
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Forced Authentication
- ID: T1187
- Reference URL: https://attack.mitre.org/techniques/T1187/

« Untrusted DLL Loaded by Azure AD Sync Service Potential File Transfer via Certreq »