Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Privilege Escalation via Local Kerberos Relay over LDAP

Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Elastic SecurityCreated Wed Apr 27Updated Tue Aug 13749c9f5e-b353-4b90-a9c1-05243357ca4bwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4624
        LogonType: 3
        AuthenticationPackageName: 'Kerberos'
        IpAddress: '127.0.0.1'
        TargetUserSid|startswith: 'S-1-5-21-'
        TargetUserSid|endswith: '-500'
    filter_main_ip_null:
        IpPort: '0'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
twitter.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
749c9f5e-b353-4b90-a9c1-05243357ca4b
Status
test
Level
high
Type
Detection
Created
Wed Apr 27
Modified
Tue Aug 13
Author
Elastic Security
Path
rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.credential-accessattack.t1548
View on GitHub