KRBTGT Delegation Backdoor
Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/27"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
11maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "KRBTGT Delegation Backdoor"
18references = [
19 "https://skyblue.team/posts/delegate-krbtgt",
20 "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
21]
22risk_score = 73
23rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82"
24setup = """## Setup
25
26The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
27Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Account Management > Audit User Account Management (Success,Failure)
1"""
2severity = "high"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Persistence",
8 "Use Case: Active Directory Monitoring",
9 "Data Source: Active Directory",
10]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.action:modified-user-account and event.code:4738 and
16 winlog.event_data.AllowedToDelegateTo:*krbtgt*
17'''
18
19
20[[rule.threat]]
21framework = "MITRE ATT&CK"
22[[rule.threat.technique]]
23id = "T1098"
24name = "Account Manipulation"
25reference = "https://attack.mitre.org/techniques/T1098/"
26
27
28[rule.threat.tactic]
29id = "TA0003"
30name = "Persistence"
31reference = "https://attack.mitre.org/tactics/TA0003/"
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1558"
36name = "Steal or Forge Kerberos Tickets"
37reference = "https://attack.mitre.org/techniques/T1558/"
38
39
40[rule.threat.tactic]
41id = "TA0006"
42name = "Credential Access"
43reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
This article describe a new persistence technique in Active Directory that allows to create valid TGT (i.e. have a master key). This technique relies on a Service Account with a Constrained Delegation to the KRBTGT service.
Read More -
Actionable analytics designed to combat threats. Contribute to atc-project/atomic-threat-coverage development by creating an account on GitHub.
Read More
Related rules
- Account Configured with Never-Expiring Password
- Potential Privileged Escalation via SamAccountName Spoofing
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User