KRBTGT Delegation Backdoor

  1[metadata]
  2creation_date = "2022/01/27"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
 11maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "KRBTGT Delegation Backdoor"
 18references = [
 19    "https://skyblue.team/posts/delegate-krbtgt",
 20    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
 21]
 22risk_score = 73
 23rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Persistence",
 30    "Use Case: Active Directory Monitoring",
 31    "Data Source: Active Directory",
 32    "Data Source: Windows Security Event Logs",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39iam where host.os.type == "windows" and event.code == "4738" and winlog.event_data.AllowedToDelegateTo : "*krbtgt*"
 40'''
 41
 42note = """## Triage and analysis
 43
 44### Investigating KRBTGT Delegation Backdoor
 45
 46#### Possible investigation steps
 47
 48- What account was changed, and what krbtgt delegation value did the alert preserve?
 49  - Focus: alert 4738 evidence in `winlog.event_data.TargetSid`, `winlog.event_data.TargetUserName`, `winlog.event_data.TargetDomainName`, `winlog.event_data.AllowedToDelegateTo`, and `winlog.computer_name`.
 50  - Implication: Escalate when the target now lists a krbtgt service target such as "krbtgt/DOMAIN"; lower suspicion only when the target, value, and controller match a time-boxed security validation or emergency delegation repair explicitly naming krbtgt, which is not routine delegation.
 51
 52- Who initiated the account change?
 53  - Focus: `winlog.event_data.SubjectUserSid`, `winlog.event_data.SubjectUserName`, `winlog.event_data.SubjectDomainName`, and `winlog.event_data.SubjectLogonId`.
 54  - Implication: Escalate when a human admin, newly introduced service identity, or unexpected controller-local context made the change; lower suspicion only when the same stable tier-0 identity owns this exact delegation-maintenance path.
 55
 56- What source and authentication method created the modifying session?
 57  - Focus: authentication events on the same `host.id` where `winlog.event_data.TargetLogonId` equals alert `winlog.event_data.SubjectLogonId`; review `source.ip`, `winlog.logon.type`, and `winlog.event_data.AuthenticationPackageName`. $investigate_0
 58  - Hint: missing authentication telemetry, or absent `source.ip` on local/service sessions, is unresolved, not benign; review same-session 4648 records when credential-source context matters. $investigate_1
 59  - Implication: Escalate for an unusual source, remote-interactive access, unexpected NTLM, or explicit credentials; lower suspicion when the session maps to the expected tier-0 admin path for this controller.
 60
 61- Did surrounding directory changes prepare, repeat, or roll back the krbtgt delegation?
 62  - Focus: surrounding 4738 records for the same `winlog.event_data.TargetSid`, plus 5136 records on the same `winlog.computer_name` and modifying subject/session; use `winlog.event_data.ObjectDN`, `winlog.event_data.AttributeLDAPDisplayName`, and `winlog.event_data.AttributeValue` to identify the affected object and value.
 63  - Hint: reconstruct the burst from same-target 4738 and same-controller directory-service changes; if 5136 grouping is thin, use `winlog.record_id` order on the same controller plus subject/session and object DN. Absent 5136 evidence leaves prerequisite and rollback context unresolved, not benign.
 64    - $investigate_2
 65    - $investigate_3
 66  - Implication: Escalate when `winlog.event_data.AttributeLDAPDisplayName` and `winlog.event_data.AttributeValue` show delegation-enabling changes, repeated msDS-AllowedToDelegateTo writes, or no rollback; prompt removal narrows the persistence window but does not clear actor or session intent.
 67
 68- Does the same actor or target touch other delegation-relevant accounts in the case window?
 69  - Focus: run this only if earlier answers are suspicious or unresolved; search 4738 and 5136 records for the same modifying subject/session or `winlog.event_data.TargetSid`, then compare `winlog.event_data.TargetUserName`, `winlog.event_data.ObjectDN`, `winlog.event_data.AttributeLDAPDisplayName`, and `winlog.event_data.AttributeValue`.
 70  - Implication: Broaden scope when the same actor or target appears in additional delegation writes across objects or controllers; keep it narrow when changes stay confined to one exact target and resolved maintenance path. $investigate_4
 71
 72- Escalate when a non-routine actor/session adds krbtgt delegation, supporting directory changes show setup, the value remains, or same-actor/target scope expands; close only when the modified account, krbtgt value, actor/session, source/authentication context, surrounding changes, rollback, and scope all align with one tightly controlled authorized workflow; preserve raw 4738, authentication, and directory-change evidence and escalate when findings stay mixed or incomplete.
 73
 74### False positive analysis
 75
 76- Authorized security validation or emergency delegation repair can trigger this rule only when krbtgt delegation is the explicit planned action. Confirm the target (`winlog.event_data.TargetSid` plus `winlog.event_data.AllowedToDelegateTo`), actor/session (`winlog.event_data.SubjectUserSid`, `winlog.event_data.SubjectLogonId`, and recovered authentication context), controller, and surrounding attribute evidence all align. If change records are unavailable, telemetry-only closure must still bind one exact workflow with no contradictions; prior benign recurrence strengthens confidence but is not required.
 77- Do not close generic service onboarding, migration, or constrained-delegation cutover as benign unless outside confirmation explicitly names krbtgt delegation and telemetry matches that exact target, actor, session, and controller path. A normal service-delegation explanation that does not account for the krbtgt value is incomplete.
 78- Before creating an exception, validate that the same `winlog.event_data.SubjectUserSid`, `winlog.event_data.TargetSid`, exact `winlog.event_data.AllowedToDelegateTo`, `winlog.computer_name`, and recovered session pattern identify the authorized workflow across prior benign cases or a tightly controlled test plan. Build the exception from that minimum confirmed pattern, and avoid exceptions on "krbtgt", event 4738, or "msDS-AllowedToDelegateTo" alone.
 79
 80### Response and remediation
 81
 82- If confirmed benign, document the actor, target account, krbtgt value, controller, recovered session context, and surrounding delegation-change pattern before reversing temporary containment. Create an exception only if that same pattern is stable across prior benign cases.
 83- If suspicious but unconfirmed, first export the alert, raw 4738 record, matching authentication events, and surrounding 4738 or 5136 records. Preserve the modified account, krbtgt value, actor/session, source/auth context, and rollback evidence before reversible containment such as heightened monitoring or temporary delegation-administration restrictions.
 84- If confirmed malicious, preserve the same identity, session, and directory-change evidence first, then restrict or disable the modifying account. Restrict the modified target only when it was intentionally backdoored or used for follow-on Kerberos abuse. Contain the recovered source host when session evidence identifies one, or hand off the preserved evidence set to Active Directory or incident response.
 85- After containment, review recent 4738 and 5136 records for the same actor, target, and controller before cleanup. Remove the unauthorized krbtgt value from the `msDS-AllowedToDelegateTo` attribute, roll back related delegation-prerequisite changes identified in the same change set, and verify clean replication across domain controllers.
 86- If ticket abuse or broader Active Directory compromise is confirmed, activate the domain-compromise plan, including the required double reset of krbtgt after scoping and coordination with directory owners.
 87- Post-incident hardening: restrict delegation administration and SeEnableDelegationPrivilege to dedicated tier-0 identities, keep Audit User Account Management plus supporting 5136, 4624, and 4648 visibility on domain controllers, and document any recurring benign validation pattern for future triage.
 88"""
 89
 90setup = """## Setup
 91
 92Audit User Account Management must be enabled to generate the events used by this rule.
 93Setup instructions: https://ela.st/audit-user-account-management
 94"""
 95
 96[rule.investigation_fields]
 97field_names = [
 98    "@timestamp",
 99    "user.name",
100    "user.id",
101    "winlog.event_data.SubjectUserName",
102    "winlog.event_data.SubjectUserSid",
103    "winlog.event_data.SubjectDomainName",
104    "winlog.event_data.SubjectLogonId",
105    "winlog.logon.id",
106    "winlog.event_data.TargetUserName",
107    "winlog.event_data.TargetSid",
108    "winlog.event_data.TargetDomainName",
109    "winlog.event_data.AllowedToDelegateTo",
110    "host.name",
111    "host.id",
112    "winlog.computer_name",
113]
114
115[transform]
116
117[[transform.investigate]]
118label = "Authentication events for the modifying session"
119description = ""
120providers = [
121  [
122    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
123    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
124    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
125  ]
126]
127relativeFrom = "now-48h/h"
128relativeTo = "now"
129
130[[transform.investigate]]
131label = "Explicit-credential events from the modifying session"
132description = ""
133providers = [
134  [
135    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
136    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" },
137    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
138  ]
139]
140relativeFrom = "now-48h/h"
141relativeTo = "now"
142
143[[transform.investigate]]
144label = "4738 changes for this delegation target"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.code", queryType = "phrase", value = "4738", valueType = "string" },
149    { excluded = false, field = "winlog.event_data.TargetSid", queryType = "phrase", value = "{{winlog.event_data.TargetSid}}", valueType = "string" }
150  ],
151  [
152    { excluded = false, field = "event.code", queryType = "phrase", value = "4738", valueType = "string" },
153    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
154  ]
155]
156relativeFrom = "now-24h/h"
157relativeTo = "now"
158
159[[transform.investigate]]
160label = "5136 directory changes by this modifying session"
161description = ""
162providers = [
163  [
164    { excluded = false, field = "event.code", queryType = "phrase", value = "5136", valueType = "string" },
165    { excluded = false, field = "winlog.computer_name", queryType = "phrase", value = "{{winlog.computer_name}}", valueType = "string" },
166    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
167  ],
168  [
169    { excluded = false, field = "event.code", queryType = "phrase", value = "5136", valueType = "string" },
170    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
171    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
172  ]
173]
174relativeFrom = "now-24h/h"
175relativeTo = "now"
176
177[[transform.investigate]]
178label = "Delegation-sensitive changes by this actor"
179description = ""
180providers = [
181  [
182    { excluded = false, field = "event.code", queryType = "phrase", value = "4738", valueType = "string" },
183    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
184  ],
185  [
186    { excluded = false, field = "event.code", queryType = "phrase", value = "5136", valueType = "string" },
187    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
188  ]
189]
190relativeFrom = "now-48h/h"
191relativeTo = "now"
192
193[[rule.threat]]
194framework = "MITRE ATT&CK"
195
196[[rule.threat.technique]]
197id = "T1098"
198name = "Account Manipulation"
199reference = "https://attack.mitre.org/techniques/T1098/"
200
201[rule.threat.tactic]
202id = "TA0003"
203name = "Persistence"
204reference = "https://attack.mitre.org/tactics/TA0003/"
205
206[[rule.threat]]
207framework = "MITRE ATT&CK"
208
209[[rule.threat.technique]]
210id = "T1558"
211name = "Steal or Forge Kerberos Tickets"
212reference = "https://attack.mitre.org/techniques/T1558/"
213
214[rule.threat.tactic]
215id = "TA0006"
216name = "Credential Access"
217reference = "https://attack.mitre.org/tactics/TA0006/"