Suspicious Ticket Granting Ticket Request

Name:Suspicious Ticket Granting Ticket Request
id:d77d349e-6269-11ec-9cfe-acde48001122
version:5
date:2024-10-17
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.
Data_source:

• -Windows Event Log Security 4768
• -Windows Event Log Security 4781

search:`wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$")
| eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName)
| transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768)
| eval short_lived=case((duration<2),"TRUE")
| search short_lived = TRUE
| table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived
| rename Computer as dest
| `suspicious_ticket_granting_ticket_request_filter`

how_to_implement:To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives:A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.
References:
  -https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
  -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
  -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
drilldown_searches:
  :
tags:
  analytic_story:
    - 'sAMAccountName Spoofing and Domain Controller Impersonation'
    - 'Active Directory Kerberos Attacks'
    - 'Active Directory Privilege Escalation'
  asset_type:Endpoint
  confidence:60
  impact:100
  message:A suspicious TGT was requested was requested by $dest$
  mitre_attack_id:
    - 'T1078'
    - 'T1078.002'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'Old_Account_Name'
    - 'New_Account_Name'
    - 'Account_Name'
    - 'ComputerName'
  risk_score:60
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log
  source: XmlWinEventLog:Security
  sourcetype: XmlWinEventLog
manual_test:None