sigmahighHunting

Metasploit SMB Authentication

Alerts on Metasploit host's authentications on the domain.

MITRE ATT&CK

lateral-movement

Detection Query

selection1:
  EventID:
    - 4625
    - 4624
  LogonType: 3
  AuthenticationPackageName: NTLM
  WorkstationName|re: ^[A-Za-z0-9]{16}$
selection2:
  EventID: 4776
  Workstation|re: ^[A-Za-z0-9]{16}$
condition: 1 of selection*

Author

Chakib Gzenayi (@Chak092), Hosni Mribah

Created

2020-05-06

Data Sources

windowssecurity

Platforms

windows

References

https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb

Tags

attack.lateral-movementattack.t1021.002

Raw Content

title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID:
            - 4625
            - 4624
        LogonType: 3
        AuthenticationPackageName: 'NTLM'
        WorkstationName|re: '^[A-Za-z0-9]{16}$'
    selection2:
        EventID: 4776
        Workstation|re: '^[A-Za-z0-9]{16}$'
    condition: 1 of selection*
falsepositives:
    - Linux hostnames composed of 16 characters.
level: high