From ef8598e35a3a33210c37b358210cd1015c33dd56 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:56:02 -0300
Subject: [PATCH 1/3] [New Rule] Active Directory Forced Authentication from
 Linux Host via SMB Pipes

---
 ...al_access_forced_authentication_pipes.toml | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 rules/cross-platform/credential_access_forced_authentication_pipes.toml

diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
new file mode 100644
index 00000000000..9dc18ba80a6
--- /dev/null
+++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2024/07/23"
+integration = ["endpoint", "system"]
+maturity = "production"
+updated_date = "2024/07/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to
+authenticate to a host controlled by them to capture hashes or enable relay attacks.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Active Directory Forced Authentication from Linux Host via SMB Pipes"
+references = [
+    "https://github.com/p0dalirius/windows-coerced-authentication-methods",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
+    "https://attack.mitre.org/techniques/T1187/",
+]
+risk_score = 47
+rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
+setup = """## Setup
+
+This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
+for correlation. Both data should be collected from the hosts for this detection to work.
+
+The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success,Failure)
+```
+"""
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence with maxspan=15s
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
+[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1187"
+name = "Forced Authentication"
+reference = "https://attack.mitre.org/techniques/T1187/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

From b7d97c6a7305b685d804fd272535772b4bf3ecf3 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 23 Jul 2024 21:59:52 -0300
Subject: [PATCH 2/3] Update credential_access_forced_authentication_pipes.toml

---
 .../credential_access_forced_authentication_pipes.toml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
index 9dc18ba80a6..3c61614169f 100644
--- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml
+++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -14,7 +14,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.network-*", "logs-system.security-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Active Directory Forced Authentication from Linux Host via SMB Pipes"
+name = "Active Directory Forced Authentication from Linux Host - SMB Named Pipes"
 references = [
     "https://github.com/p0dalirius/windows-coerced-authentication-methods",
     "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",

From 8b49eeefcc3bb2ee642b84c5c35e3ab7a7404a67 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 24 Jul 2024 11:10:42 -0300
Subject: [PATCH 3/3] Update
 rules/cross-platform/credential_access_forced_authentication_pipes.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../credential_access_forced_authentication_pipes.toml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
index 3c61614169f..72fcb33b4d3 100644
--- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml
+++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -25,7 +25,7 @@ rule_id = "c24e9a43-f67e-431d-991b-09cdb83b3c0c"
 setup = """## Setup
 
 This rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers
-for correlation. Both data should be collected from the hosts for this detection to work.
+for correlation. Both data sources should be collected from the hosts for this detection to work.
 
 The 'Audit Detailed File Share' audit policy must be configured (Success Failure).
 Steps to implement the logging policy with Advanced Audit Configuration: