detection.wiki

Detection rules › Splunk

Suspicious Ticket Granting Ticket Request

Author
Mauricio Velazco, Splunk
Source
upstream

The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078.002 Valid Accounts: Domain Accounts
PersistenceT1078.002 Valid Accounts: Domain Accounts
Privilege EscalationT1078.002 Valid Accounts: Domain Accounts
Defense EvasionT1078.002 Valid Accounts: Domain Accounts

Event coverage

ProviderEvent IDTitle
Security-Auditing4768A Kerberos authentication ticket (TGT) was requested.
Security-Auditing4781The name of an account was changed.

Stages and Predicates

Stage 1: search

search ((EventCode=4768 TargetUserName!="*$") OR (EventCode=4781 NewTargetUserName!="*$" OldTargetUserName="*$"))

Stage 2: eval

eval ... using (NewTargetUserName, TargetUserName)

Stage 3: transaction

transaction RenamedComputerAccount endswith=EventCode = 4768 startswith=EventCode = 4781

Stage 4: eval

eval ... using (duration)

Stage 5: search

search short_lived=TRUE

Stage 6: table

table Computer, EventCode, RenamedComputerAccount, TargetUserName, _time, short_lived

Stage 7: rename

rename

Stage 8: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4768 corpus 10 (splunk 10)
  • 4781 corpus 2 (splunk 2)
NewTargetUserNamene
  • "*$" corpus 2 (splunk 2)
OldTargetUserNameeq
  • "*$" corpus 2 (splunk 2)
TargetUserNamene
  • "*$" corpus 7 (splunk 7)
short_livedeq
  • TRUE corpus 4 (splunk 4)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.