Potential Machine Account Relay Attack via SMB

This detection rule identifies potential SMB relay attacks targeting machine accounts in Windows environments. The attack involves an adversary intercepting and relaying authentication requests to gain unauthorized access to network resources. The detection focuses on analyzing Windows Security Event Logs for file share access events (event code 5145) where the source IP address is different from the target server’s IP address, but the user name matches the target server’s computer account (ends with “$”). This activity could indicate that an attacker is relaying SMB authentication requests from a compromised system to the target server, effectively impersonating the machine account. Detecting this behavior is crucial for identifying and mitigating potential lateral movement and credential access attempts within the network.

Attack Chain

1. The attacker compromises a host within the network.
2. The attacker initiates an SMB connection to a target server.
3. The attacker intercepts the authentication request.
4. The attacker relays the authentication request to another server using the target server’s machine account.
5. The target server authenticates the relayed request, granting access to the attacker.
6. The attacker gains unauthorized access to network shares and resources on the target server.
7. The attacker attempts lateral movement to other systems within the domain.
8. The attacker performs credential access activities, such as dumping credentials or accessing sensitive data.

Impact

Successful exploitation allows attackers to gain unauthorized access to network resources, potentially leading to lateral movement, data theft, or system compromise. A successful SMB relay attack can compromise critical systems and expose sensitive data, potentially impacting hundreds or thousands of systems within the domain. This can result in significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Enable Audit Detailed File Share monitoring to generate the necessary event logs for detection (Setup instructions: https://ela.st/audit-detailed-file-share).
• Deploy the provided Sigma rule “Potential Machine Account Relay Attack via SMB” to your SIEM to detect suspicious SMB activity based on event code 5145 and abnormal source IP addresses.
• Investigate alerts generated by the Sigma rule by reviewing surrounding authentication events (event codes 4624 and 4625) to confirm the use of machine accounts from unexpected source IPs.
• Implement network segmentation and restrict SMB access between systems to limit the potential impact of SMB relay attacks.
• Enforce SMB signing or Extended Protection to prevent man-in-the-middle attacks.
• Monitor for related alerts as described in the transform.investigate sections, focusing on suspicious authentication, service creation, persistence, or credential access on the host.id.