detection.wiki

Detection rules › Elastic

Potential Machine Account Relay Attack via SMB

Author
Elastic
Source
upstream

Identifies potential relay attacks against a machine account by identifying network share access events coming from a remote source.ip but using the target server computer account. This may indicate a successful SMB relay attack.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1187 Forced Authentication, T1557 Adversary-in-the-Middle, T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Lateral MovementT1021 Remote Services, T1021.002 Remote Services: SMB/Windows Admin Shares
CollectionT1557 Adversary-in-the-Middle, T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Event coverage

ProviderEvent IDTitle
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: eql:file

not source.ip ends_with and not source.ip:"127.0.0.1" and not source.ip:"::" and not source.ip:"::1" and user.name:"*$" and winlog.computer_name starts_with

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1source.ipends_with(no value — null check)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
source.ipne
  • 127.0.0.1 corpus 8 (elastic 8)
  • ::
  • ::1 corpus 7 (elastic 7)
user.nameends_with
  • $ corpus 18 (sigma 14, elastic 4)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.