Techniques
Sample rules
Windows Kerberos Local Successful Logon
- source: splunk
- technicques:
- T1558
Description
The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. It detects EventCode 4624 with LogonType 3 and source address 127.0.0.1, indicating a login to the built-in local Administrator account. This activity is significant as it may suggest a Kerberos relay attack, a method attackers use to escalate privileges. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive systems, execute arbitrary code, or create new accounts in Active Directory, leading to potential system compromise.
Detection logic
`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1
| stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_kerberos_local_successful_logon_filter`