Detection rules › Splunk
Windows Domain Admin Impersonation Indicator
The following analytic identifies potential Kerberos ticket forging attacks, specifically the Diamond Ticket attack. This is detected when a user logs into a host and the GroupMembership field in event 4627 indicates a privileged group (e.g., Domain Admins), but the user does not actually belong to that group in the directory service. The detection leverages Windows Security Event Log 4627, which logs account logon events. The analytic cross-references the GroupMembership field from the event against a pre-populated lookup of actual group memberships. Its crucial to note that the accuracy and effectiveness of this detection heavily rely on the users diligence in populating and regularly updating this lookup table. Any discrepancies between the events GroupMembership and the lookup indicate potential ticket forging. Kerberos ticket forging, especially the Diamond Ticket attack, allows attackers to impersonate any user and potentially gain unauthorized access to resources. By forging a ticket that indicates membership in a privileged group, an attacker can bypass security controls and gain elevated privileges. Detecting such discrepancies in group memberships during logon events can be a strong indicator of this attack in progress, making it crucial for security teams to monitor and investigate. If validated as a true positive, this indicates that an attacker has successfully forged a Kerberos ticket and may have gained unauthorized access to critical resources, potentially with elevated privileges.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558 Steal or Forge Kerberos Tickets |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4627 | Group membership information. |
Stages and Predicates
Stage 1: search
search NOT TargetUserName IN ("*$", "ANONYMOUS LOGON", "DWM-*", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM", "UMFD-*") EventCode=4627 LogonType=3
Stage 2: where
where GroupMembership="Domain Admins"
Stage 3: stats
stats BY _time, TargetUserName, GroupMembership, action, app, dest, signature_id, user, vendor_product
Stage 4: lookup
lookup <lookup> TargetUserName, username
Stage 5: fillnull
fillnull
Stage 6: search
search username="NotDA"
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | in | "*$", "ANONYMOUS LOGON", "DWM-*", "LOCAL SERVICE", "NETWORK SERVICE", "SYSTEM", "UMFD-*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
GroupMembership | match |
|
LogonType | eq |
|
username | eq |
|