Service Creation via Local Kerberos Authentication
Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/27"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to
11localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos
12relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Service Creation via Local Kerberos Authentication"
19references = [
20 "https://github.com/Dec0ne/KrbRelayUp",
21 "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html",
22 "https://github.com/cube0x0/KrbRelay",
23 "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82",
24]
25risk_score = 73
26rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4"
27severity = "high"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Privilege Escalation",
33 "Tactic: Credential Access",
34 "Use Case: Active Directory Monitoring",
35 "Data Source: Active Directory",
36]
37type = "eql"
38
39query = '''
40sequence by winlog.computer_name with maxspan=5m
41 [authentication where
42
43 /* event 4624 need to be logged */
44 event.action == "logged-in" and event.outcome == "success" and
45
46 /* authenticate locally using relayed kerberos Ticket */
47 winlog.event_data.AuthenticationPackageName :"Kerberos" and winlog.logon.type == "Network" and
48 cidrmatch(source.ip, "127.0.0.0/8", "::1") and source.port > 0] by winlog.event_data.TargetLogonId
49
50 [any where
51 /* event 4697 need to be logged */
52 event.action : "service-installed"] by winlog.event_data.SubjectLogonId
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1543"
60name = "Create or Modify System Process"
61reference = "https://attack.mitre.org/techniques/T1543/"
62[[rule.threat.technique.subtechnique]]
63id = "T1543.003"
64name = "Windows Service"
65reference = "https://attack.mitre.org/techniques/T1543/003/"
66
67
68
69[rule.threat.tactic]
70id = "TA0004"
71name = "Privilege Escalation"
72reference = "https://attack.mitre.org/tactics/TA0004/"
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1558"
77name = "Steal or Forge Kerberos Tickets"
78reference = "https://attack.mitre.org/techniques/T1558/"
79
80
81[rule.threat.tactic]
82id = "TA0006"
83name = "Credential Access"
84reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Potential Credential Access via DCSync
- Potential Privileged Escalation via SamAccountName Spoofing
- Remote Computer Account DnsHostName Update