Name:Suspicious Ticket Granting Ticket Request id:d77d349e-6269-11ec-9cfe-acde48001122 version:7 date:2025-02-10 author:Mauricio Velazco, Splunk status:production type:Hunting Description:The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment. Data_source:
how_to_implement:To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. known_false_positives:A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed. References: -https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278 -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287 drilldown_searches:
: tags: analytic_story: - 'sAMAccountName Spoofing and Domain Controller Impersonation' - 'Active Directory Kerberos Attacks' - 'Active Directory Privilege Escalation' asset_type:Endpoint mitre_attack_id: - 'T1078.002' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint