LAPS Credential Dumping Spoofing and Domain Controller Impersonation

calendar Aug 10, 2024 · attack.credential_access attack.T1003  ·
Share on: linkedin copy

Identify LAPS credential dumping by looking for users accessing objects via Event ID 4662, and login authentication events via Event ID 4624. The two events must contain the same LogonID to track the same logon session. NOTE - The TargetLogonId has to match the SubjectLogonId. Not sure how to implement the logic using sigma, so I have left it as a placeholder. Make sure to change it depending on the SIEM you are using.

Sigma rule (View on GitHub)

 1title: LAPS Credential Dumping Spoofing and Domain Controller Impersonation
 2id: b4019300-4846-4c66-9d3e-62efff5cff51
 3status: experimental
 4date: 2023/02/21
 5author: '@kostastsale'
 6description: 'Identify LAPS credential dumping by looking for users accessing objects via Event ID 4662,
 7and login authentication events via Event ID 4624. The two events must contain the same LogonID to track
 8the same logon session.
 9
10NOTE - The TargetLogonId has to match the SubjectLogonId. Not sure how to implement the logic
11using sigma, so I have left it as a placeholder. Make sure to change it depending on the SIEM you are using.'
12references:
13  - https://www.trustedsec.com/blog/a-lapse-in-judgement/?hss_channel=tw-403811306 (Includes Splunk Query)
14  - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-laps
15logsource:
16    product: windows
17    service: security
18detection:
19    selection1:
20        EventID: 4662
21        AccessMask:
22            - '0x100'
23            - '0x10'
24    selection2:
25        EventID: 4624
26        TargetLogonId: '\%SubjectLogonId\%'
27    filter:
28        EventID: 4662
29        SubjectUserName|endswith:
30            - '$'
31        SubjectUserName:
32            - 'ANONYMOUS LOGON'
33            - 'SYSTEM'
34    condition: (selection1 and selection2) and not filter
35falsepositives:
36    - Uknown
37level: High
38tags:
39    - attack.credential_access
40    - attack.T1003

References

Related rules

to-top