From 4b0453e5433d07e3e27b271a7009e6d822a2ac51 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 22 Jul 2024 15:01:53 -0300 Subject: [PATCH 1/4] [New Rule] Potential Forced Authentication --- ...edential_access_forced_authentication.toml | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 rules/cross-platform/credential_access_forced_authentication.toml diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml new file mode 100644 index 00000000000..a1d745a5a13 --- /dev/null +++ b/rules/cross-platform/credential_access_forced_authentication.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2024/07/22" +integration = ["endpoint", "system"] +maturity = "production" +updated_date = "2024/07/22" + +[rule] +author = ["Elastic"] +description = """ +Identifies a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine +controlled by them to capture hashes or to enable relay attacks. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-system.security-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Forced Authentication" +references = [ + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn", + "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-dfsnm", + "https://attack.mitre.org/techniques/T1187/", +] +risk_score = 47 +rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c" +setup = """## Setup + +This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers +for correlation. Both data should be collected from the hosts for this detection to work. +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence with maxspan=15s +[network where host.os.type != "windows" and event.action == "connection_attempted" and destination.port == 445] by host.ip +[authentication where host.os.type == "windows" and event.action == "logged-in" and + winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1187" +name = "Forced Authentication" +reference = "https://attack.mitre.org/techniques/T1187/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + From 62464ad001bacd400dd1888e8b6e6ea8cd0a52c7 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 22 Jul 2024 15:07:17 -0300 Subject: [PATCH 2/4] Update credential_access_forced_authentication.toml --- .../credential_access_forced_authentication.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml index a1d745a5a13..c58a192e71c 100644 --- a/rules/cross-platform/credential_access_forced_authentication.toml +++ b/rules/cross-platform/credential_access_forced_authentication.toml @@ -35,7 +35,9 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", ] timestamp_override = "event.ingested" type = "eql" From 56cbf834398271e7351f7eb29fd8f6876d97df3d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 22 Jul 2024 15:10:03 -0300 Subject: [PATCH 3/4] Update credential_access_forced_authentication.toml --- .../cross-platform/credential_access_forced_authentication.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml index c58a192e71c..70c96f0fe95 100644 --- a/rules/cross-platform/credential_access_forced_authentication.toml +++ b/rules/cross-platform/credential_access_forced_authentication.toml @@ -44,7 +44,7 @@ type = "eql" query = ''' sequence with maxspan=15s -[network where host.os.type != "windows" and event.action == "connection_attempted" and destination.port == 445] by host.ip +[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip [authentication where host.os.type == "windows" and event.action == "logged-in" and winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip ''' From dbf8fea8458b106e00f5a2eefcb7bde0ebdce545 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 23 Jul 2024 21:54:56 -0300 Subject: [PATCH 4/4] Update credential_access_forced_authentication.toml --- .../credential_access_forced_authentication.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml index 70c96f0fe95..3e2459303a0 100644 --- a/rules/cross-platform/credential_access_forced_authentication.toml +++ b/rules/cross-platform/credential_access_forced_authentication.toml @@ -8,13 +8,13 @@ updated_date = "2024/07/22" author = ["Elastic"] description = """ Identifies a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine -controlled by them to capture hashes or to enable relay attacks. +controlled by them to capture hashes or enable relay attacks. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-system.security-*"] language = "eql" license = "Elastic License v2" -name = "Potential Forced Authentication" +name = "Active Directory Forced Authentication from Linux Host" references = [ "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn",