This is probably one of the only ones that abuses the machine account quota. Many orgs now disable the ability for standard users to join the domain due to Kerberos delegation and relaying. If anyone else knows let me know what attacks can abuse this.
@@CyberAttackDefense Is not that rare, at least I have seen it quite often in some envs, however, what is rare is the account "Administrator", question for you, is it always going to be the account Administrator?
Here are two Splunk rules to easily detect this sysmon detection: index="wineventlog" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" "KrbRelayUp" | search EventCode="1" | search ((Image="*\\KrbRelayUp.exe" OR OriginalFileName="KrbRelayUp.exe") OR (CommandLine="* relay *" CommandLine="* -Domain *" CommandLine="* -ComputerName *") OR (CommandLine="* krbscm *" CommandLine="* -sc *") OR (CommandLine="* spawn *" CommandLine="* -d *" CommandLine="* -cn *" CommandLine="* -cp *")) | stats values(ComputerName) as ComputerName values(OriginalFileName) as OriginalFileName values(CommandLine) as CommandLine values(ParentCommandLine) as ParentCommandLine by _time User | search NOT User=System | table _time User ComputerName OriginalFileName ParentCommandLine CommandLine | sort - _time Wineventlog: security index="wineventlog" source="WinEventLog:Security" "KrbRelayUp" | search EventCode=4688 | stats values(ComputerName) as ComputerName values(Account_Name) as Account_Name values(user) as user values(signature) as signature values(Creator_Process_Name) as Parent_Process values(New_Process_Name) as Child_Process values(Process_Command_Line) as ProcessCommand values(src) as src values(dest) as dest count by _time src_user | table _time src_user ComputerName Parent_Process Child_Process ProcessCommand | sort - _time
Awesome post! Definitely appreciate the blue team perspective with looking through event viewer.
Glad you liked it. Tell your friends!
Thanks!
Your welcome! Thanks for watching!
What other attacks are possible, if the machine account quota is set too high?
This is probably one of the only ones that abuses the machine account quota. Many orgs now disable the ability for standard users to join the domain due to Kerberos delegation and relaying. If anyone else knows let me know what attacks can abuse this.
Just wanted to know do we never see a logon type3 event with source ip being 127.0.0.1 when the process is kerberos?
It’s super rare to see that. I have only ever seen it with management tools running on box.
@@CyberAttackDefense Is not that rare, at least I have seen it quite often in some envs, however, what is rare is the account "Administrator", question for you, is it always going to be the account Administrator?
Here are two Splunk rules to easily detect this
sysmon detection:
index="wineventlog" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" "KrbRelayUp"
| search EventCode="1"
| search ((Image="*\\KrbRelayUp.exe" OR OriginalFileName="KrbRelayUp.exe") OR (CommandLine="* relay *" CommandLine="* -Domain *" CommandLine="* -ComputerName *") OR (CommandLine="* krbscm *" CommandLine="* -sc *") OR (CommandLine="* spawn *" CommandLine="* -d *" CommandLine="* -cn *" CommandLine="* -cp *"))
| stats values(ComputerName) as ComputerName values(OriginalFileName) as OriginalFileName values(CommandLine) as CommandLine values(ParentCommandLine) as ParentCommandLine by _time User
| search NOT User=System
| table _time User ComputerName OriginalFileName ParentCommandLine CommandLine | sort - _time
Wineventlog: security
index="wineventlog" source="WinEventLog:Security" "KrbRelayUp"
| search EventCode=4688
| stats values(ComputerName) as ComputerName values(Account_Name) as Account_Name values(user) as user values(signature) as signature values(Creator_Process_Name) as Parent_Process values(New_Process_Name) as Child_Process values(Process_Command_Line) as ProcessCommand values(src) as src values(dest) as dest count by _time src_user
| table _time src_user ComputerName Parent_Process Child_Process ProcessCommand | sort - _time