title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: HackTool - KrbRelayUp Execution
id: 12827a56-61a4-476a-a9cb-f3068f191073
status: test
description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
references:
    - https://github.com/Dec0ne/KrbRelayUp
author: Florian Roth (Nextron Systems)
date: 2022-04-26
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\KrbRelayUp.exe'
        - OriginalFileName: 'KrbRelayUp.exe' # In case the file has been renamed after compilation
    selection_cli_1:
        CommandLine|contains|all:
            - ' relay '
            - ' -Domain '
            - ' -ComputerName '
    selection_cli_2:
        CommandLine|contains|all:
            - ' krbscm '
            - ' -sc '
    selection_cli_3:
        CommandLine|contains|all:
            - ' spawn '
            - ' -d '
            - ' -cn '
            - ' -cp '
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: HackTool - Rubeus Execution - ScriptBlock
id: 3245cd30-e015-40ff-a31d-5cadd5f377ec
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: test
description: Detects the execution of the hacktool Rubeus using specific command line flags
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-27
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'asreproast '
            - 'dump /service:krbtgt '
            - 'dump /luid:0x'
            - 'kerberoast '
            - 'createnetonly /program:'
            - 'ptt /ticket:'
            - '/impersonateuser:'
            - 'renew /ticket:'
            - 'asktgt /user:'
            - 'harvest /interval:'
            - 's4u /user:'
            - 's4u /ticket:'
            - 'hash /password:'
            - 'golden /aes256:'
            - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
references:
    - https://github.com/sensepost/ruler
    - https://github.com/sensepost/ruler/issues/47
    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
author: Florian Roth (Nextron Systems)
date: 2017-05-31
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.execution
    - attack.collection
    - attack.lateral-movement
    - attack.t1087
    - attack.t1114
    - attack.t1059
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4776
        Workstation: 'RULER'
    selection2:
        EventID:
            - 4624
            - 4625
        WorkstationName: 'RULER'
    condition: (1 of selection*)
falsepositives:
    - Go utilities that use staaldraad awesome NTLM library
level: high

title: Successful Overpass the Hash Attempt
id: 192a0330-c20b-4356-90b6-7b7049ae0b87
status: test
description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
references:
    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
author: Roberto Rodriguez (source), Dominik Schaudel (rule)
date: 2018-02-12
modified: 2021-11-27
tags:
    - attack.lateral-movement
    - attack.s0002
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: seclogo
        AuthenticationPackageName: Negotiate
    condition: selection
falsepositives:
    - Runas command-line tool using /netonly parameter
level: high

title: AWS Console GetSigninToken Potential Abuse
id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
status: test
description: |
    Detects potentially suspicious events involving "GetSigninToken".
    An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
references:
    - https://github.com/NetSPI/aws_consoler
    - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
author: Chester Le Bron (@123Le_Bron)
date: 2024-02-26
tags:
    - attack.lateral-movement
    - attack.t1021.007
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'signin.amazonaws.com'
        eventName: 'GetSigninToken'
    filter_main_console_ua:
        userAgent|contains: 'Jersey/${project.version}'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.
level: medium

title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
references:
    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021-09-22
modified: 2022-12-18
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_sts:
        eventSource: 'sts.amazonaws.com'
        eventName: 'AssumeRoleWithSAML'
    selection_iam:
        eventSource: 'iam.amazonaws.com'
        eventName: 'UpdateSAMLProvider'
    condition: 1 of selection_*
falsepositives:
    - Automated processes that uses Terraform may lead to false positives.
    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: medium

title: Pass the Hash Activity 2
id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
status: stable
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
    - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
author: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)
date: 2019-06-14
modified: 2022-10-05
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: security
    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624
detection:
    selection_logon3:
        EventID: 4624
        SubjectUserSid: 'S-1-0-0'
        LogonType: 3
        LogonProcessName: 'NtLmSsp'
        KeyLength: 0
    selection_logon9:
        EventID: 4624
        LogonType: 9
        LogonProcessName: 'seclogo'
    filter:
        TargetUserName: 'ANONYMOUS LOGON'
    condition: 1 of selection_* and not filter
falsepositives:
    - Administrator activity
level: medium

title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
    - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
      type: similar
status: test
description: |
    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
    - https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
    - attack.credential-access
    - attack.t1558
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 88
        Initiated: 'true'
    filter_main_lsass:
        Image: 'C:\Windows\System32\lsass.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tomcat:
        Image|endswith: '\tomcat\bin\tomcat8.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium

title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
status: test
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
references:
    - https://github.com/elastic/detection-rules/pull/1214
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.type: AssumedRole
        userIdentity.sessionContext.sessionIssuer.type: Role
    condition: selection
falsepositives:
    - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    - Automated processes that uses Terraform may lead to false positives.
level: low

title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
status: test
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
references:
    - https://github.com/elastic/detection-rules/pull/1213
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.t1548
    - attack.t1550
    - attack.t1550.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: sts.amazonaws.com
        eventName: GetSessionToken
        userIdentity.type: IAMUser
    condition: selection
falsepositives:
    - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

title: NTLM Logon
id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
status: test
description: Detects logons using NTLM, which could be caused by a legacy source or attackers
references:
    - https://twitter.com/JohnLaTwC/status/1004895028995477505
author: Florian Roth (Nextron Systems)
date: 2018-06-08
modified: 2024-07-22
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8002
    condition: selection
falsepositives:
    - Legacy hosts
level: low

title: Outgoing Logon with New Credentials
id: def8b624-e08f-4ae1-8612-1ba21190da6b
status: test
description: Detects logon events that specify new credentials
references:
    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.lateral-movement
    - attack.t1550
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
    condition: selection
falsepositives:
    - Legitimate remote administration activity
level: low