detection.wiki

Detection rules › Sigma

Metasploit SMB Authentication

Severity
high
Author
Chakib Gzenayi (@Chak092), Hosni Mribah
Source
upstream

Alerts on Metasploit host's authentications on the domain.

MITRE ATT&CK coverage

TacticTechniques
Lateral MovementT1021.002 Remote Services: SMB/Windows Admin Shares

Event coverage

ProviderEvent IDTitle
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4776The domain controller attempted to validate the credentials for an account.

Stages and Predicates

Stage 1: 1 of selection1

AuthenticationPackageName: NTLM
LogonType: 3
WorkstationName|re: '^[A-Za-z0-9]{16}$'

Stage 2: 1 of selection2

Workstation|re: '^[A-Za-z0-9]{16}$'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AuthenticationPackageNameeq
  • NTLM corpus 2 (sigma 1, elastic 1)
LogonTypeeq
  • 3 corpus 12 (splunk 7, sigma 5)
Workstationregex_match
  • ^[A-Za-z0-9]{16}$
WorkstationNameregex_match
  • ^[A-Za-z0-9]{16}$

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.