LoFP / based on microsoft documentation, legacy systems or applications will use rc4-hmac as the default encryption for tgt requests. specifically, systems before windows server 2008 and windows vista. newer systems will use aes128 or aes256.

• T1558
• T1558.001

Sample rules

Kerberos TGT Request Using RC4 Encryption

• source: splunk
• technicques:
  • T1550

Description

The following analytic leverages Event 4768, A Kerberos authentication ticket (TGT) was requested, to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Similar to Pass The Hash, OverPass The Hash is a form of credential theft that allows adversaries to move laterally or consume resources in a target network. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account is able to authenticate to the Kerberos Distribution Center(KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources.

Detection logic

 `wineventlog_security` EventCode=4768 TicketEncryptionType=0x17 ServiceName!=*$ 
| stats count min(_time) as firstTime max(_time) as lastTime by ServiceName src_ip dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `kerberos_tgt_request_using_rc4_encryption_filter`

Kerberos Service Ticket Request Using RC4 Encryption

• source: splunk
• technicques:
  • T1558
  • T1558.001

Description

The following analytic leverages Kerberos Event 4769, A Kerberos service ticket was requested, to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Sever 2008 and newer support AES Kerberos encryption.\ Defenders should note that if an attacker does not leverage the NTLM password hash but rather the AES key to create a golden ticket, this detection may be bypassed.

Detection logic

 `wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, TicketEncryptionType, TicketOptions 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `kerberos_service_ticket_request_using_rc4_encryption_filter`