mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
34 lines
1.6 KiB
YAML
34 lines
1.6 KiB
YAML
title: PetitPotam Suspicious Kerberos TGT Request
|
|
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
|
|
description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
|
|
certificate by abusing Active Directory Certificate Services in combination with
|
|
PetitPotam, the next step would be to leverage the certificate for malicious purposes.
|
|
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
|
|
like Rubeus. This request will generate a 4768 event with some unusual fields depending
|
|
on the environment. This analytic will require tuning, we recommend filtering Account_Name
|
|
to the Domain Controller computer accounts.
|
|
author: Mauricio Velazco, Michael Haag
|
|
date: 2021/09/02
|
|
references:
|
|
- https://github.com/topotam/PetitPotam
|
|
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
|
|
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1187
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
|
|
detection:
|
|
selection:
|
|
EventID: 4768
|
|
TargetUserName|endswith: '$'
|
|
CertThumbprint: '*'
|
|
filter_local:
|
|
IpAddress: '::1'
|
|
condition: selection and not filter_local
|
|
falsepositives:
|
|
- False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
|
|
level: high
|