Potential Privilege Escalation via Local Kerberos Relay over LDAPedit

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Credential Access

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

authentication where

 /* event 4624 need to be logged */
 event.action == "logged-in" and event.outcome == "success" and

 /* authenticate locally via relayed kerberos ticket */
 winlog.event_data.AuthenticationPackageName : "Kerberos" and winlog.logon.type == "Network" and
 source.ip == "" and source.port > 0 and

 /* Impersonate Administrator user via S4U2Self service ticket */
 winlog.event_data.TargetUserSid : "S-1-5-21-*-500"