splApache-2.0from splunk/security_content
Windows Computer Account Requesting Kerberos Ticket
The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml
`wineventlog_security` EventCode=4768 TargetUserName="*$" src_ip!="::1"
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, subject, action,
user, TargetUserName, src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_requesting_kerberos_ticket_filter`