Service Creation via Local Kerberos Authentication

calendar Jun 22, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Credential Access Use Case: Active Directory Monitoring Data Source: Active Directory  ·
Share on: linkedin copy

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/04/27"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
13localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos
14relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Service Creation via Local Kerberos Authentication"
21references = [
22    "https://github.com/Dec0ne/KrbRelayUp",
23    "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
24    "https://github.com/cube0x0/KrbRelay",
25    "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82",
26]
27risk_score = 73
28rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4"
29severity = "high"
30tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"]
31type = "eql"
32
33query = '''
34sequence by winlog.computer_name with maxspan=5m
35 [authentication where
36
37  /* event 4624 need to be logged */
38  event.action == "logged-in" and event.outcome == "success" and
39
40  /* authenticate locally using relayed kerberos Ticket */
41  winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and
42  cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId
43
44  [any where
45   /* event 4697 need to be logged */
46   event.action : "service-installed"] by winlog.event_data.SubjectLogonId
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1543"
54name = "Create or Modify System Process"
55reference = "https://attack.mitre.org/techniques/T1543/"
56[[rule.threat.technique.subtechnique]]
57id = "T1543.003"
58name = "Windows Service"
59reference = "https://attack.mitre.org/techniques/T1543/003/"
60
61
62
63[rule.threat.tactic]
64id = "TA0004"
65name = "Privilege Escalation"
66reference = "https://attack.mitre.org/tactics/TA0004/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1558"
71name = "Steal or Forge Kerberos Tickets"
72reference = "https://attack.mitre.org/techniques/T1558/"
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top