Techniques
Sample rules
Windows Computer Account Requesting Kerberos Ticket
- source: splunk
- technicques:
- T1558
Description
The following analytic identifies a ComputerAccount requesting a Kerberos Ticket. typically, a user account requests a Kerberos ticket. This behavior was identified with KrbUpRelay, but additional Kerberos attacks have exhibited similar behavior.
Detection logic
`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1"
| stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action, user, TargetUserName, src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_requesting_kerberos_ticket_filter`