KRBTGT Delegation Backdoor

Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/01/27"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/10/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to
13maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "KRBTGT Delegation Backdoor"
20references = [
21    "https://skyblue.team/posts/delegate-krbtgt",
22    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
23]
24risk_score = 73
25rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82"
26setup = """## Setup
27
28The 'Audit User Account Management' logging policy must be configured for (Success, Failure).
29Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Account Management > Audit User Account Management (Success,Failure)

 1"""
 2severity = "high"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"]
 4timestamp_override = "event.ingested"
 5type = "query"
 6
 7query = '''
 8event.action:modified-user-account and event.code:4738 and
 9  winlog.event_data.AllowedToDelegateTo:*krbtgt*
10'''
11
12
13[[rule.threat]]
14framework = "MITRE ATT&CK"
15[[rule.threat.technique]]
16id = "T1098"
17name = "Account Manipulation"
18reference = "https://attack.mitre.org/techniques/T1098/"
19
20
21[rule.threat.tactic]
22id = "TA0003"
23name = "Persistence"
24reference = "https://attack.mitre.org/tactics/TA0003/"
25[[rule.threat]]
26framework = "MITRE ATT&CK"
27[[rule.threat.technique]]
28id = "T1558"
29name = "Steal or Forge Kerberos Tickets"
30reference = "https://attack.mitre.org/techniques/T1558/"
31
32
33[rule.threat.tactic]
34id = "TA0006"
35name = "Credential Access"
36reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top