KRBTGT Delegation Backdoor

calendarMay 15, 2023  ·
Share on: linkedincopy

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/01/27"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/04/27"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
13maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "KRBTGT Delegation Backdoor"
20note = """## Setup
21
22The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
23Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Account Management > Audit User Account Management (Success,Failure)

 1"""
 2references = [
 3    "https://skyblue.team/posts/delegate-krbtgt",
 4    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
 5]
 6risk_score = 73
 7rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82"
 8severity = "high"
 9tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.action:modified-user-account and event.code:4738 and
15  winlog.event_data.AllowedToDelegateTo:*krbtgt*
16'''
17
18
19[[rule.threat]]
20framework = "MITRE ATT&CK"
21[[rule.threat.technique]]
22id = "T1098"
23name = "Account Manipulation"
24reference = "https://attack.mitre.org/techniques/T1098/"
25
26
27[rule.threat.tactic]
28id = "TA0003"
29name = "Persistence"
30reference = "https://attack.mitre.org/tactics/TA0003/"
31[[rule.threat]]
32framework = "MITRE ATT&CK"
33[[rule.threat.technique]]
34id = "T1558"
35name = "Steal or Forge Kerberos Tickets"
36reference = "https://attack.mitre.org/techniques/T1558/"
37
38
39[rule.threat.tactic]
40id = "TA0006"
41name = "Credential Access"
42reference = "https://attack.mitre.org/tactics/TA0006/"

Setup

The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:

1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7Account Management >
8Audit User Account Management (Success,Failure)

to-top