Techniques
Sample rules
Windows Kerberos Local Successful Logon
- source: splunk
- technicques:
- T1558
Description
The following analytic identifies a local successful authentication event on a Windows endpoint using the Kerberos package. The target user security identified will be set to the built-in local Administrator account, along with the remote address as localhost - 127.0.0.1. This may be indicative of a kerberos relay attack. Upon triage, review for recently ran binaries on disk. In addition, look for new computer accounts added to Active Directory and other anomolous AD events.
Detection logic
`wineventlog_security` EventCode=4624 LogonType=3 AuthenticationPackageName=Kerberos action=success src=127.0.0.1
| stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, SubjectLogonId, user, TargetUserName, src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_kerberos_local_successful_logon_filter`