Potential Privilege Escalation via Local Kerberos Relay over LDAPedit

Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • Credential Access

Version: 1

Added (Elastic Stack release): 8.3.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

authentication where /* event 4624 need to be logged */
event.action == "logged-in" and event.outcome == "success" and /*
authenticate locally via relayed kerberos ticket */
winlog.event_data.AuthenticationPackageName : "Kerberos" and
winlog.logon.type == "Network" and source.ip == "" and
source.port > 0 and /* Impersonate Administrator user via S4U2Self
service ticket */ winlog.event_data.TargetUserSid : "S-1-5-21-*-500"

Threat mappingedit