{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/smb-relay/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic License v2"],"_cs_severities":["high"],"_cs_tags":["credential-access","smb-relay","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential SMB relay attacks targeting machine accounts in Windows environments. The attack involves an adversary intercepting and relaying authentication requests to gain unauthorized access to network resources. The detection focuses on analyzing Windows Security Event Logs for file share access events (event code 5145) where the source IP address is different from the target server\u0026rsquo;s IP address, but the user name matches the target server\u0026rsquo;s computer account (ends with \u0026ldquo;$\u0026rdquo;). This activity could indicate that an attacker is relaying SMB authentication requests from a compromised system to the target server, effectively impersonating the machine account. Detecting this behavior is crucial for identifying and mitigating potential lateral movement and credential access attempts within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an SMB connection to a target server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the authentication request to another server using the target server\u0026rsquo;s machine account.\u003c/li\u003e\n\u003cli\u003eThe target server authenticates the relayed request, granting access to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to network shares and resources on the target server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker performs credential access activities, such as dumping credentials or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized access to network resources, potentially leading to lateral movement, data theft, or system compromise. A successful SMB relay attack can compromise critical systems and expose sensitive data, potentially impacting hundreds or thousands of systems within the domain. This can result in significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Detailed File Share monitoring to generate the necessary event logs for detection (Setup instructions: \u003ca href=\"https://ela.st/audit-detailed-file-share)\"\u003ehttps://ela.st/audit-detailed-file-share)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;Potential Machine Account Relay Attack via SMB\u0026rdquo; to your SIEM to detect suspicious SMB activity based on event code 5145 and abnormal source IP addresses.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by reviewing surrounding authentication events (event codes 4624 and 4625) to confirm the use of machine accounts from unexpected source IPs.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and restrict SMB access between systems to limit the potential impact of SMB relay attacks.\u003c/li\u003e\n\u003cli\u003eEnforce SMB signing or Extended Protection to prevent man-in-the-middle attacks.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts as described in the transform.investigate sections, focusing on suspicious authentication, service creation, persistence, or credential access on the host.id.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-machine-account-relay/","summary":"The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.","title":"Potential Machine Account Relay Attack via SMB","url":"https://feed.craftedsignal.io/briefs/2024-01-machine-account-relay/"}],"language":"en","title":"CraftedSignal Threat Feed — Smb-Relay","version":"https://jsonfeed.org/version/1.1"}