Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
2id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
3status: test
4description: |
5 Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
6 This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
7references:
8 - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
9 - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
10author: Elastic, @SBousseaden
11date: 2022-04-27
12modified: 2024-08-13
13tags:
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.credential-access
17 - attack.t1548
18logsource:
19 product: windows
20 service: security
21detection:
22 selection:
23 EventID: 4624
24 LogonType: 3
25 AuthenticationPackageName: 'Kerberos'
26 IpAddress: '127.0.0.1'
27 TargetUserSid|startswith: 'S-1-5-21-'
28 TargetUserSid|endswith: '-500'
29 filter_main_ip_null:
30 IpPort: '0'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - Unknown
34level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- User Added To Group With CA Policy Modification Access
- User Removed From Group With CA Policy Modification Access
- AWS STS AssumeRole Misuse