Active Directory Forced Authentication from Linux Host - SMB Named Pipes
editActive Directory Forced Authentication from Linux Host - SMB Named Pipes
editIdentifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.
Rule type: eql
Rule indices:
- logs-endpoint.events.network-*
- logs-system.security-*
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- OS: Linux
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Elastic Defend
- Data Source: Active Directory
- Use Case: Active Directory Monitoring
- Data Source: System
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers for correlation. Both data sources should be collected from the hosts for this detection to work.
The Audit Detailed File Share audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Audit Detailed File Share (Success,Failure)
Rule query
editsequence with maxspan=15s [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Forced Authentication
- ID: T1187
- Reference URL: https://attack.mitre.org/techniques/T1187/