hayabusa/rules/sigma/builtin/win_petitpotam_susp_tgt_request.yml

title: PetitPotam Suspicious Kerberos TGT Request
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer
  certificate by abusing Active Directory Certificate Services in combination with
  PetitPotam, the next step would be to leverage the certificate for malicious purposes.
  One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool
  like Rubeus. This request will generate a 4768 event with some unusual fields depending
  on the environment. This analytic will require tuning, we recommend filtering Account_Name
  to the Domain Controller computer accounts.
detection:
  SELECTION_1:
    EventID: 4768
  SELECTION_2:
    TargetUserName: '*$'
  SELECTION_3:
    CertThumbprint: '*'
  SELECTION_4:
    IpAddress: ::1
  SELECTION_5:
    CertThumbprint: ''
  condition: (((SELECTION_1 and SELECTION_2 and SELECTION_3) and  not (SELECTION_4))
    and  not (SELECTION_5))
falsepositives:
- False positives are possible if the environment is using certificates for authentication.
  We recommend filtering Account_Name to the Domain Controller computer accounts.
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
level: high
logsource:
  definition: The advanced audit policy setting "Account Logon > Kerberos Authentication
    Service" must be configured for Success/Failure
  product: windows
  service: security
modified: 2021/09/07
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
status: experimental
tags:
- attack.credential_access
- attack.t1187
ruletype: SIGMA