Potential Privilege Escalation via Local Kerberos Relay over LDAP
Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/26"
3deprecation_date = "2022/08/01"
4maturity = "deprecated"
5updated_date = "2022/08/01"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
11localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage
12a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local
13System privileges.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Privilege Escalation via Local Kerberos Relay over LDAP"
20references = [
21 "https://github.com/Dec0ne/KrbRelayUp",
22 "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
23 "https://github.com/cube0x0/KrbRelay",
24]
25risk_score = 73
26rule_id = "3605a013-6f0c-4f7d-88a5-326f5be262ec"
27severity = "high"
28tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Credential Access"]
29type = "eql"
30
31query = '''
32authentication where
33
34 /* event 4624 need to be logged */
35 event.action == "logged-in" and event.outcome == "success" and
36
37 /* authenticate locally via relayed kerberos ticket */
38 winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and
39 source.ip == "127.0.0.1" and source.port > 0 and
40
41 /* Impersonate Administrator user via S4U2Self service ticket */
42 winlog.event_data.TargetUserSid : "S-1-5-21-*-500"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1548"
50name = "Abuse Elevation Control Mechanism"
51reference = "https://attack.mitre.org/techniques/T1548/"
52[[rule.threat.technique.subtechnique]]
53id = "T1548.002"
54name = "Bypass User Account Control"
55reference = "https://attack.mitre.org/techniques/T1548/002/"
56
57
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1558"
67name = "Steal or Forge Kerberos Tickets"
68reference = "https://attack.mitre.org/techniques/T1558/"
69
70
71[rule.threat.tactic]
72id = "TA0006"
73name = "Credential Access"
74reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). - Dec0ne/KrbRelayUp
Read More -
Posted by James Forshaw, Project Zero This blog post is a summary of some research I've been doing into relaying Kerberos authentica...
Read More -
Framework for Kerberos relaying . Contribute to cube0x0/KrbRelay development by creating an account on GitHub.
Read More
Related rules
- Potential PrintNightmare Exploit Registry Modification
- Potential PrintNightmare File Modification
- Strace Process Activity
- Network Connection via Mshta
- Network Sniffing via Tcpdump