LoFP / we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.

Techniques

• T1078
• T1078.002

Sample rules

Suspicious Kerberos Service Ticket Request

• source: splunk
• technicques:
  • T1078
  • T1078.002

Description

The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.

Detection logic

`wineventlog_security` EventCode=4769 
| eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) 
| where isSuspicious = 1 
| rename Computer as dest
| rename TargetUserName as user 
| table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious 
| `suspicious_kerberos_service_ticket_request_filter`