we have tested this detection logic with ~2 million 4769 events and did not identify false positives. however, they may be possible in certain environments. filter as needed.

Techniques

Sample rules

Suspicious Kerberos Service Ticket Request

source: splunk
technicques:
- T1078
- T1078.002

Description

As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, A Kerberos service ticket was requested, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.

Detection logic

 `wineventlog_security` EventCode=4769 
| eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0) 
| where isSuspicious = 1 
| rename Computer as dest
| rename TargetUserName as user 
| table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious 
| `suspicious_kerberos_service_ticket_request_filter`