KRBTGT Delegation Backdoor
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/27"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
13maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "KRBTGT Delegation Backdoor"
20references = [
21 "https://skyblue.team/posts/delegate-krbtgt",
22 "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
23]
24risk_score = 73
25rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82"
26setup = """## Setup
27
28The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
29Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Account Management > Audit User Account Management (Success,Failure)
1"""
2severity = "high"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Persistence",
8 "Use Case: Active Directory Monitoring",
9 "Data Source: Active Directory",
10 "Data Source: System",
11]
12timestamp_override = "event.ingested"
13type = "eql"
14
15query = '''
16iam where event.action == "modified-user-account" and event.code == "4738" and
17 winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
18'''
19
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23[[rule.threat.technique]]
24id = "T1098"
25name = "Account Manipulation"
26reference = "https://attack.mitre.org/techniques/T1098/"
27
28
29[rule.threat.tactic]
30id = "TA0003"
31name = "Persistence"
32reference = "https://attack.mitre.org/tactics/TA0003/"
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1558"
37name = "Steal or Forge Kerberos Tickets"
38reference = "https://attack.mitre.org/techniques/T1558/"
39
40
41[rule.threat.tactic]
42id = "TA0006"
43name = "Credential Access"
44reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.
Read More -
Actionable analytics designed to combat threats. Contribute to atc-project/atomic-threat-coverage development by creating an account on GitHub.
Read More
Related rules
- Active Directory Group Modification by SYSTEM
- AdminSDHolder SDProp Exclusion Added
- Potential Privileged Escalation via SamAccountName Spoofing
- User Added to Privileged Group
- Access to a Sensitive LDAP Attribute