Service Creation via Local Kerberos Authentication

Author: Elastic
Source: upstream

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Privilege Escalation	`T1543` Create or Modify System Process, `T1543.003` Create or Modify System Process: Windows Service
Credential Access	`T1557` Adversary-in-the-Middle, `T1558` Steal or Forge Kerberos Tickets
Collection	`T1557` Adversary-in-the-Middle

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4697	A service was installed in the system.

Stages and Predicates

Stage 1: `eql:authentication`

event.action:"logged-in" and event.outcome:"success" and process.pid:0 and source.ip:"127.0.0.0/8" and winlog.event_data.AuthenticationPackageName:"Kerberos" and winlog.event_data.ElevatedToken:"%%1843" and winlog.logon.type:"Network"

Stage 2: `eql:any`

event.action:"service-installed"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`logged-in` corpus 7 (elastic 7)
`event.action`	wildcard	`service-installed`
`event.outcome`	eq	`success` corpus 8 (elastic 8)
`process.pid`	eq	`0` corpus 2 (sigma 1, elastic 1)
`source.ip`	cidr_match	`127.0.0.0/8` `::1`
`winlog.event_data.AuthenticationPackageName`	wildcard	`Kerberos` corpus 2 (elastic 2)
`winlog.event_data.ElevatedToken`	eq	`%%1843`
`winlog.logon.type`	eq	`Network` corpus 4 (elastic 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Remote Windows Service Installed [elastic]