Techniques
Sample rules
Windows Computer Account Requesting Kerberos Ticket
- source: splunk
- technicques:
- T1558
Description
The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.
Detection logic
`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1"
| stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_requesting_kerberos_ticket_filter`