splApache-2.0from splunk/security_content
Suspicious Kerberos Service Ticket Request
The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/suspicious_kerberos_service_ticket_request.yml
`wineventlog_security` EventCode=4769
| eval isSuspicious = if(lower(ServiceName) = lower(mvindex(split(TargetUserName,"@"),0)),1,0)
| where isSuspicious = 1
| rename Computer as dest
| rename TargetUserName as user
| table _time, dest, src_ip, user, ServiceName, Error_Code, isSuspicious
| `suspicious_kerberos_service_ticket_request_filter`