Service Creation via Local Kerberos Authentication

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Credential Access Use Case: Active Directory Monitoring Data Source: Active Directory Data Source: System  ·
Share on: linkedin copy

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/04/27"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
13localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos
14relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Service Creation via Local Kerberos Authentication"
21references = [
22    "https://github.com/Dec0ne/KrbRelayUp",
23    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
24    "https://github.com/cube0x0/KrbRelay",
25    "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82",
26]
27risk_score = 73
28rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4"
29severity = "high"
30tags = [
31    "Domain: Endpoint",
32    "OS: Windows",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35    "Tactic: Credential Access",
36    "Use Case: Active Directory Monitoring",
37    "Data Source: Active Directory",
38    "Data Source: System",
39]
40type = "eql"
41
42query = '''
43sequence by winlog.computer_name with maxspan=5m
44 [authentication where
45
46  /* event 4624 need to be logged */
47  event.action == "logged-in" and event.outcome == "success" and
48
49  /* authenticate locally using relayed kerberos Ticket */
50  winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and
51  cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId
52
53  [any where
54   /* event 4697 need to be logged */
55   event.action : "service-installed"] by winlog.event_data.SubjectLogonId
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1543"
63name = "Create or Modify System Process"
64reference = "https://attack.mitre.org/techniques/T1543/"
65[[rule.threat.technique.subtechnique]]
66id = "T1543.003"
67name = "Windows Service"
68reference = "https://attack.mitre.org/techniques/T1543/003/"
69
70
71
72[rule.threat.tactic]
73id = "TA0004"
74name = "Privilege Escalation"
75reference = "https://attack.mitre.org/tactics/TA0004/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1558"
80name = "Steal or Forge Kerberos Tickets"
81reference = "https://attack.mitre.org/techniques/T1558/"
82
83
84[rule.threat.tactic]
85id = "TA0006"
86name = "Credential Access"
87reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top