splApache-2.0from splunk/security_content
Suspicious Ticket Granting Ticket Request
The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/suspicious_ticket_granting_ticket_request.yml
`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$")
| eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName)
| transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768)
| eval short_lived=case((duration<2),"TRUE")
| search short_lived = TRUE
| table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived
| rename Computer as dest
| `suspicious_ticket_granting_ticket_request_filter`