[New Rule] Potential Relay Attack against a Domain Controller (#3928)

w0rk3r · github-actions[bot] · commit cb858002113c · 2024-08-02T16:06:35.000Z
* [New Rule] Potential Relay Attack against a Domain Controller * Update credential_access_dollar_account_relay.toml * Move to the correct folder (cherry picked from commit dfdc214)
diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml
@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2024/07/24"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2024/07/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the
+domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC
+hash after capturing it using forced authentication.
+"""
+from = "now-9m"
+index = ["logs-system.security-*", "logs-windows.forwarded*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Relay Attack against a Domain Controller"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 21
+rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+authentication where host.os.type == "windows" and event.code in ("4624", "4625") and endswith~(user.name, "$") and
+    winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.logon.type : "network" and
+
+    /* Filter for a machine account that matches the hostname */
+    startswith~(host.name, substring(user.name, 0, -1)) and
+    
+    /* Verify if the Source IP belongs to the host */
+    not endswith(string(source.ip), string(host.ip)) and
+    source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+[[rule.threat.technique.subtechnique]]
+id = "T1557.001"
+name = "LLMNR/NBT-NS Poisoning and SMB Relay"
+reference = "https://attack.mitre.org/techniques/T1557/001/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
