elastic · w0rk3r · Jul 22, 2024 · Jul 22, 2024 · Jul 22, 2024 · Jul 24, 2024
diff --git a/rules/cross-platform/credential_access_forced_authentication.toml b/rules/cross-platform/credential_access_forced_authentication.toml
@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2024/07/22"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2024/07/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine
+controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Active Directory Forced Authentication from Linux Host"
-name = "Active Directory Forced Authentication from Linux Host"
+name = "SMB Authentication from a Linux Host"
-name = "Active Directory Forced Authentication from Linux Host"
+name = "SMB Authentication from a Linux Host"
+references = [
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-dfsnm",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 47
+rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
+setup = """## Setup
+
+This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
+for correlation. Both data should be collected from the hosts for this detection to work.
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence with maxspan=15s
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
+[authentication where host.os.type == "windows" and event.action == "logged-in" and
+ winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
-[authentication where host.os.type == "windows" and event.action == "logged-in" and
- winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
+  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445  
+   and (destination.ip != null or destination.ip != "0.0.0.0" or cidrmatch (
+     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+     "FF00::/8", "172.31.0.0/16"
+     )
+    )] by host.ip
+  [authentication where host.os.type == "windows" and event.action == "logged-in" and
+   winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
-[authentication where host.os.type == "windows" and event.action == "logged-in" and
- winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
+  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445  
+   and (destination.ip != null or destination.ip != "0.0.0.0" or cidrmatch (
+     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+     "FF00::/8", "172.31.0.0/16"
+     )
+    )] by host.ip
+  [authentication where host.os.type == "windows" and event.action == "logged-in" and
+   winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+