Windows Computer Account Requesting Kerberos Ticket

Author: Michael Haag, Splunk
Source: upstream

The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1558` Steal or Forge Kerberos Tickets

Event coverage

Provider	Event ID	Title
Security-Auditing	4768	A Kerberos authentication ticket (TGT) was requested.

Stages and Predicates

Stage 1: `search`

search EventCode=4768 TargetUserName="*$" src_ip!="::1"

Stage 2: `stats`

stats BY dest, subject, action, user, TargetUserName, src_ip

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`4768` corpus 10 (splunk 10)
`TargetUserName`	eq	`"*$"` corpus 2 (splunk 2)
`src_ip`	ne	`"::1"`

Windows Computer Account Requesting Kerberos Ticket

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search