Skip to content

Commit 4b0453e

Browse files
w0rk3rw0rk3r
committed
[New Rule] Potential Forced Authentication
1 parent 6bc1913 commit 4b0453e

File tree

1 file changed

+63
-0
lines changed

1 file changed

+63
-0
lines changed

rules/cross-platform/credential_access_forced_authentication.toml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
[metadata]
2+
creation_date = "2024/07/22"
3+
integration = ["endpoint", "system"]
4+
maturity = "production"
5+
updated_date = "2024/07/22"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
Identifies a potential forced authentication. Attackers may attempt to force targets to authenticate to a Linux machine
11+
controlled by them to capture hashes or to enable relay attacks.
12+
"""
13+
from = "now-9m"
14+
index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
15+
language = "eql"
16+
license = "Elastic License v2"
17+
name = "Potential Forced Authentication"
18+
references = [
19+
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-efsr",
20+
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-rprn",
21+
"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/ms-dfsnm",
22+
"https://attack.mitre.org/techniques/T1187/",
23+
]
24+
risk_score = 47
25+
rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
26+
setup = """## Setup
27+
28+
This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
29+
for correlation. Both data should be collected from the hosts for this detection to work.
30+
"""
31+
severity = "medium"
32+
tags = [
33+
"Domain: Endpoint",
34+
"OS: Windows",
35+
"OS: Linux",
36+
"Use Case: Threat Detection",
37+
"Tactic: Credential Access",
38+
"Data Source: Elastic Defend"
39+
]
40+
timestamp_override = "event.ingested"
41+
type = "eql"
42+
43+
query = '''
44+
sequence with maxspan=15s
45+
[network where host.os.type != "windows" and event.action == "connection_attempted" and destination.port == 445] by host.ip
46+
[authentication where host.os.type == "windows" and event.action == "logged-in" and
47+
winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
48+
'''
49+
50+
51+
[[rule.threat]]
52+
framework = "MITRE ATT&CK"
53+
[[rule.threat.technique]]
54+
id = "T1187"
55+
name = "Forced Authentication"
56+
reference = "https://attack.mitre.org/techniques/T1187/"
57+
58+
59+
[rule.threat.tactic]
60+
id = "TA0006"
61+
name = "Credential Access"
62+
reference = "https://attack.mitre.org/tactics/TA0006/"
63+

0 commit comments

Comments
 (0)