Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
Sigma rule (View on GitHub)
1title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
2id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
3status: test
4description: |
5 Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
6 This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
7references:
8 - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
9 - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
10author: Elastic, @SBousseaden
11date: 2022-04-27
12modified: 2024-08-13
13tags:
14 - attack.privilege-escalation
15 - attack.credential-access
16 - attack.t1548
17logsource:
18 product: windows
19 service: security
20detection:
21 selection:
22 EventID: 4624
23 LogonType: 3
24 AuthenticationPackageName: 'Kerberos'
25 IpAddress: '127.0.0.1'
26 TargetUserSid|startswith: 'S-1-5-21-'
27 TargetUserSid|endswith: '-500'
28 filter_main_ip_null:
29 IpPort: '0'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity