LoFP / a computer account name change event inmediately followed by a kerberos tgt request with matching fields is unsual. however, legitimate behavior may trigger it. filter as needed.

Techniques

• T1078
• T1078.002

Sample rules

Suspicious Ticket Granting Ticket Request

• source: splunk
• technicques:
  • T1078
  • T1078.002

Description

As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, The name of an account was changed and event Id 4768 A Kerberos authentication ticket (TGT) was requested to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.

Detection logic

 `wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$") 
| eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName) 
| transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768) 
| eval short_lived=case((duration<2),"TRUE") 
| search short_lived = TRUE 
| table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived 
| rename Computer as dest 
| `suspicious_ticket_granting_ticket_request_filter`