LAPS Credential Dumping Spoofing and Domain Controller Impersonation
Identify LAPS credential dumping by looking for users accessing objects via Event ID 4662, and login authentication events via Event ID 4624. The two events must contain the same LogonID to track the same logon session. NOTE - The TargetLogonId has to match the SubjectLogonId. Not sure how to implement the logic using sigma, so I have left it as a placeholder. Make sure to change it depending on the SIEM you are using.
Sigma rule (View on GitHub)
1title: LAPS Credential Dumping Spoofing and Domain Controller Impersonation
2id: b4019300-4846-4c66-9d3e-62efff5cff51
3status: experimental
4date: 2023/02/21
5author: '@kostastsale'
6description: 'Identify LAPS credential dumping by looking for users accessing objects via Event ID 4662,
7and login authentication events via Event ID 4624. The two events must contain the same LogonID to track
8the same logon session.
9
10NOTE - The TargetLogonId has to match the SubjectLogonId. Not sure how to implement the logic
11using sigma, so I have left it as a placeholder. Make sure to change it depending on the SIEM you are using.'
12references:
13 - https://www.trustedsec.com/blog/a-lapse-in-judgement/?hss_channel=tw-403811306 (Includes Splunk Query)
14 - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-laps
15logsource:
16 product: windows
17 service: security
18detection:
19 selection1:
20 EventID: 4662
21 AccessMask:
22 - '0x100'
23 - '0x10'
24 selection2:
25 EventID: 4624
26 TargetLogonId: '\%SubjectLogonId\%'
27 filter:
28 EventID: 4662
29 SubjectUserName|endswith:
30 - '$'
31 SubjectUserName:
32 - 'ANONYMOUS LOGON'
33 - 'SYSTEM'
34 condition: (selection1 and selection2) and not filter
35falsepositives:
36 - Uknown
37level: High
38tags:
39 - attack.credential_access
40 - attack.T1003
References
-
As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched appli...
Read More -
This article provides an overview of Microsoft Defender for Identity's Microsoft LAPS usage identity security posture assessment report.
Read More
Related rules
- Kerberoasting Activity - Initial query
- Using Lazagne to dump credentials
- Kerberos .kirbi Ticket Files
- Mimikatz Module Names
- SecretsDump File Modification