detection.wiki

Detection rules › Splunk

Suspicious Kerberos Service Ticket Request

Author
Mauricio Velazco, Splunk
Source
upstream

The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.002 Valid Accounts: Domain Accounts
PersistenceT1078.002 Valid Accounts: Domain Accounts
Privilege EscalationT1078.002 Valid Accounts: Domain Accounts
Defense EvasionT1078.002 Valid Accounts: Domain Accounts

Event coverage

ProviderEvent IDTitle
Security-Auditing4769A Kerberos service ticket was requested.

Stages and Predicates

Stage 1: search

search EventCode=4769

Stage 2: eval

eval ... using (ServiceName, TargetUserName)

Stage 3: where

where isSuspicious=1

Stage 4: rename

rename

Stage 5: rename

rename

Stage 6: table

table Error_Code, ServiceName, _time, dest, isSuspicious, src_ip, user

Stage 7: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4769 corpus 6 (splunk 6)
isSuspiciouseq
  • 1

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.