Potential Privilege Escalation via Local Kerberos Relay over LDAP

Warning

This rule has been deprecated as of 2022/08/01.

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Rule type: eql
Rule indices:

winlogbeat-*
logs-system.*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

Elastic
Host
Windows
Threat Detection
Privilege Escalation
Credential Access

Version: 100
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		authentication where

 /* event 4624 need to be logged */
 event.action == "logged-in" and event.outcome == "success" and

 /* authenticate locally via relayed kerberos ticket */
 winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and
 source.ip == "127.0.0.1" and source.port > 0 and

 /* Impersonate Administrator user via S4U2Self service ticket */
 winlog.event_data.TargetUserSid : "S-1-5-21-*-500"
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- Id: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub Technique:
- Name: Bypass User Account Control
- Id: T1548.002
- Reference URL: https://attack.mitre.org/techniques/T1548/002/

Framework: MITRE ATT&CK

Tactic:
- Name: Credential Access
- Id: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Steal or Forge Kerberos Tickets
- Id: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/