LoFP / a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.

Techniques

• T1078
• T1078.002

Sample rules

Suspicious Ticket Granting Ticket Request

• source: splunk
• technicques:
  • T1078
  • T1078.002

Description

The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.

Detection logic

`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") 
| eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) 
| transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) 
| eval short_lived=case((duration<2),"TRUE") 
| search short_lived = TRUE 
| table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived 
| rename Computer as dest 
| `suspicious_ticket_granting_ticket_request_filter`