Active Directory Forced Authentication from Linux Host - SMB Named Pipes

edit

Active Directory Forced Authentication from Linux Host - SMB Named Pipes

edit

Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.

Rule type: eql

Rule indices:

  • logs-endpoint.events.network-*
  • logs-system.security-*
  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Data Source: Elastic Defend
  • Data Source: Active Directory
  • Use Case: Active Directory Monitoring
  • Data Source: System

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers for correlation. Both data sources should be collected from the hosts for this detection to work.

The Audit Detailed File Share audit policy must be configured (Success Failure). Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success,Failure)

Rule query

edit
sequence with maxspan=15s
[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace

Framework: MITRE ATT&CKTM