diff --git a/rules/windows/bruteforce_attack.yml b/rules/windows/bruteforce_attack.yml index c5ee4dc7a..eb664c56c 100644 --- a/rules/windows/bruteforce_attack.yml +++ b/rules/windows/bruteforce_attack.yml @@ -23,8 +23,15 @@ afterEvents: - field: target.user.keyword operator: filter_term value: "{{.target.user}}" - within: now-5m + - field: origin.host.keyword + operator: filter_term + value: "{{.origin.host}}" + - field: origin.ip.keyword + operator: filter_term + value: "{{.origin.ip}}" + within: 5m count: 10 deduplicateBy: - origin.host - target.user + - origin.ip diff --git a/rules/windows/bruteforce_multiple_logon_failure_followed_by_success.yml b/rules/windows/bruteforce_multiple_logon_failure_followed_by_success.yml index 4dde95082..5bccb7233 100644 --- a/rules/windows/bruteforce_multiple_logon_failure_followed_by_success.yml +++ b/rules/windows/bruteforce_multiple_logon_failure_followed_by_success.yml @@ -23,8 +23,15 @@ afterEvents: - field: target.user.keyword operator: filter_term value: "{{.target.user}}" - within: now-5m + - field: origin.host.keyword + operator: filter_term + value: "{{.origin.host}}" + - field: origin.ip.keyword + operator: filter_term + value: "{{.origin.ip}}" + within: 5m count: 10 deduplicateBy: - origin.ip - target.user + - origin.host diff --git a/rules/windows/pass_the_hash_detection.yml b/rules/windows/pass_the_hash_detection.yml deleted file mode 100644 index 5efab1b6a..000000000 --- a/rules/windows/pass_the_hash_detection.yml +++ /dev/null @@ -1,66 +0,0 @@ -# Rule version v1.0.0 - -dataTypes: - - wineventlog -name: Pass-the-Hash Attack Detection -impact: - confidentiality: 3 - integrity: 3 - availability: 2 -category: Lateral Movement -technique: "T1550.002 - Use Alternate Authentication Material: Pass the Hash" -adversary: origin -references: - - https://attack.mitre.org/techniques/T1550/002/ - - https://www.sans.org/blog/pass-the-hash-attack-detection/ - - https://stealthbits.com/blog/how-to-detect-pass-the-hash-attacks/ -description: | - Detects Pass-the-Hash attacks by monitoring for NTLM authentication (Event ID 4624) with - LogonType 9 (NewCredentials) or LogonType 3 (Network) from unusual sources, combined with - the use of Seclogon service. Attackers use stolen NTLM hashes to authenticate without - knowing the plaintext password, commonly through tools like Mimikatz sekurlsa::pth, - Impacket, or CrackMapExec. - - Next Steps: - 1. Identify the source IP and user account used for the NTLM authentication - 2. Verify if the source host should be authenticating with NTLM to this target - 3. Check for prior credential dumping activity on the source host - 4. Review if the authentication was followed by lateral movement or data access - 5. Reset the compromised account password and any related accounts - 6. Implement NTLM restrictions via Group Policy where possible - 7. Enable Windows Defender Credential Guard to protect NTLM hashes -where: | - ( - equals("log.eventCode", "4624") && - equals("log.channel", "Security") && - equals("log.eventDataLogonType", "9") && - equals("log.eventDataAuthenticationPackageName", "Negotiate") && - !regexMatch("log.eventDataSubjectUserName", "(?i)^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE|ANONYMOUS LOGON|-|\\$)") && - exists("target.user") && - !regexMatch("target.user", "(?i)\\$$") - ) || - ( - equals("log.eventCode", "4624") && - equals("log.channel", "Security") && - equals("log.eventDataLogonType", "3") && - equals("log.eventDataLmPackageName", "NTLM V1") && - exists("origin.ip") && - !equals("origin.ip", "-") && - !equals("origin.ip", "::1") && - !equals("origin.ip", "127.0.0.1") - ) -afterEvents: - - indexPattern: v11-log-wineventlog-* - with: - - field: origin.ip.keyword - operator: filter_term - value: '{{.origin.ip}}' - - field: log.eventCode - operator: filter_term - value: '4624' - within: now-30m - count: 3 -groupBy: - - origin.ip - - origin.host - - target.user