[New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#3917)

w0rk3r · terrancedejesus · eric-forte-elastic · commit 1f4135ab4f57 · 2024-07-25T07:26:29.000-04:00
* [New Rule] Active Directory Forced Authentication from Linux Host via SMB Pipes

* Update credential_access_forced_authentication_pipes.toml

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml

Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;

---------

Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;
diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2024/07/23"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2024/07/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
+authenticate to a host controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 47
+rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
+setup = """## Setup
+
+This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
+for correlation. Both data sources should be collected from the hosts for this detection to work.
+
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success,Failure)
+```
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence with maxspan=15s
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
+[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
