Detectionhightest
Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Chakib Gzenayi, Hosni MribahCreated Wed May 06Updated Thu Jan 2572124974-a68b-4366-b990-d30e0b2a190dwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
selection1:
EventID:
- 4625
- 4624
LogonType: 3
AuthenticationPackageName: 'NTLM'
WorkstationName|re: '^[A-Za-z0-9]{16}$'
selection2:
EventID: 4776
Workstation|re: '^[A-Za-z0-9]{16}$'
condition: 1 of selection*False Positives
Linux hostnames composed of 16 characters.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
72124974-a68b-4366-b990-d30e0b2a190d
Status
test
Level
high
Type
Detection
Created
Wed May 06
Modified
Thu Jan 25
Author
Path
rules/windows/builtin/security/win_security_metasploit_authentication.yml
Raw Tags
attack.lateral-movementattack.t1021.002