Techniques
Sample rules
Suspicious Ticket Granting Ticket Request
- source: splunk
- technicques:
- T1078
- T1078.002
Description
As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, The name of an account was changed
and event Id 4768 A Kerberos authentication ticket (TGT) was requested
to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.
Detection logic
`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$")
| eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName)
| transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768)
| eval short_lived=case((duration<2),"TRUE")
| search short_lived = TRUE
| table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived
| rename Computer as dest
| `suspicious_ticket_granting_ticket_request_filter`