T1212

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.

Microsoft Sentinel / Defender

kusto

let LookbackPeriod = 24h;
// Branch 1: Kerberos TGS requests using RC4 encryption for krbtgt service
// RC4-HMAC (0x17) for krbtgt TGS is a classic MS14-068 / forged ticket indicator in AES-capable environments
let KerberosTGSAnomalies = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| where TicketEncryptionType == "0x17"                    // RC4-HMAC — suspicious when AES-256 (0x12) expected
| where ServiceName =~ "krbtgt"                            // Forged TGTs always request krbtgt service ticket
| where TargetUserName !endswith "$"                        // Exclude machine accounts
| where TargetUserName !in~ ("ANONYMOUS LOGON", "")
| extend DetectionBranch = "Kerberos_RC4_TGS_Anomaly"
| project TimeGenerated, Computer,
          AccountName = TargetUserName,
          Detail = strcat("Service:", ServiceName, " EncType:", TicketEncryptionType, " SrcIP:", IpAddress, " Options:", TicketOptions),
          DetectionBranch;
// Branch 2: Known Kerberos exploitation and credential access tool signatures in process events
let ExploitToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where ProcessCommandLine has_any (
    "kerberos::golden", "kerberos::silver", "kerberos::ptc", "kerberos::purge",
    "sekurlsa::kerberos", "lsadump::dcsync", "lsadump::lsa /patch",
    "goldenPac.py", "ticketer.py", "PyKEK", "ms14-068", "ms14_068",
    "Invoke-Kerberoast", "Request-SPNTicket", "Get-KerberosTicketGrantingTicket",
    "kerberos::list /export", "kerberos::ptt"
)
| extend DetectionBranch = "Exploit_Tool_Kerberos"
| project TimeGenerated = Timestamp, Computer = DeviceName,
          AccountName,
          Detail = ProcessCommandLine,
          DetectionBranch;
// Branch 3: Kerberos pre-authentication failure sweep — multiple failures across accounts from single source
let KerberosExploitSweep = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4771
| where TargetUserName !endswith "$"
| summarize FailureCount = count(),
            AffectedAccounts = dcount(TargetUserName),
            Codes = make_set(Status, 5),
            FirstSeen = min(TimeGenerated),
            LastSeen = max(TimeGenerated)
    by IpAddress, Computer, bin(TimeGenerated, 10m)
| where FailureCount >= 5 and AffectedAccounts >= 2
| extend DetectionBranch = "Kerberos_Exploit_Sweep"
| project TimeGenerated = LastSeen, Computer,
          AccountName = strcat("Multiple (", tostring(AffectedAccounts), " accounts)"),
          Detail = strcat("Failures:", FailureCount, " Accounts:", AffectedAccounts, " SrcIP:", IpAddress, " Codes:", tostring(Codes)),
          DetectionBranch;
// Branch 4: Temporal correlation — Kerberos RC4 anomaly followed by high-privilege logon within 5 minutes
let RecentKerberosAnomaly = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| where TicketEncryptionType == "0x17" and ServiceName =~ "krbtgt"
| where TargetUserName !endswith "$"
| project KerberosTime = TimeGenerated, Computer, AnomalousUser = TargetUserName;
let PrivilegeEscalation = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4672
| where PrivilegeList has_any ("SeDebugPrivilege", "SeTcbPrivilege", "SeAssignPrimaryTokenPrivilege", "SeTakeOwnershipPrivilege")
| where SubjectUserName !endswith "$"
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| project EscalationTime = TimeGenerated, Computer, EscalatedUser = SubjectUserName, Privileges = PrivilegeList;
let KerberosPrivEscChain = RecentKerberosAnomaly
| join kind=inner PrivilegeEscalation on Computer
| where EscalationTime > KerberosTime and EscalationTime <= KerberosTime + 5m
| where AnomalousUser =~ EscalatedUser
| extend DetectionBranch = "Kerberos_Exploit_PrivEsc_Chain"
| project TimeGenerated = EscalationTime, Computer,
          AccountName = EscalatedUser,
          Detail = strcat("Kerberos RC4 anomaly at:", tostring(KerberosTime), " — privilege escalation:", Privileges),
          DetectionBranch;
// Union all detection branches
union KerberosTGSAnomalies, ExploitToolExecution, KerberosExploitSweep, KerberosPrivEscChain
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Process: Process Creation Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legacy applications or domain-joined systems configured to only support RC4 Kerberos encryption that legitimately request krbtgt TGS tickets with TicketEncryptionType 0x17
Environments with mixed encryption policy (GPO: Network security: Configure encryption types allowed for Kerberos) where RC4 is explicitly permitted for compatibility with older systems
Authorized penetration testing or red team exercises using Kerberoasting, Mimikatz, or MS14-068 proof-of-concept tools — correlate with change management tickets and known testing windows
Monitoring, backup, or ITSM agents making frequent Kerberos service ticket requests that may trigger the pre-authentication failure sweep threshold
Domain controller promotion, demotion, or inter-site replication operations that trigger EventID 4672 with elevated privileges on DC accounts

Splunk

spl

((index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4769 OR EventCode=4771 OR EventCode=4672))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*kerberos::golden*" OR CommandLine="*kerberos::silver*" OR CommandLine="*kerberos::ptc*"
   OR CommandLine="*kerberos::purge*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*goldenPac.py*"
   OR CommandLine="*ticketer.py*" OR CommandLine="*PyKEK*" OR CommandLine="*ms14-068*"
   OR CommandLine="*ms14_068*" OR CommandLine="*lsadump::dcsync*" OR CommandLine="*lsadump::lsa*"
   OR CommandLine="*Invoke-Kerberoast*" OR CommandLine="*Request-SPNTicket*"
   OR CommandLine="*sekurlsa::kerberos*" OR CommandLine="*kerberos::list*")))
| rex field=_raw "Service Name:\s+(?<ExtServiceName>[^\r\n]+)"
| rex field=_raw "Ticket Encryption Type:\s+(?<ExtTicketEncType>0x[0-9a-fA-F]+)"
| rex field=_raw "Account Name:\s+(?<ExtTargetAccount>[^\r\n]+)"
| rex field=_raw "Client Address:\s+(?:::ffff:)?(?<ExtSourceIP>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
| eval ResolvedServiceName=coalesce(ServiceName, ExtServiceName)
| eval ResolvedEncType=coalesce(TicketEncryptionType, ExtTicketEncType)
| eval ResolvedUser=coalesce(TargetUserName, ExtTargetAccount, User)
| eval DetectionBranch=case(
    EventCode=4769 AND ResolvedEncType="0x17" AND (ResolvedServiceName="krbtgt" OR ExtServiceName="krbtgt"), "Kerberos_RC4_TGS_Anomaly",
    EventCode=4672 AND match(PrivilegeList, "(SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege)") AND NOT match(ResolvedUser, ".*\$") AND NOT (ResolvedUser="SYSTEM" OR ResolvedUser="LOCAL SERVICE" OR ResolvedUser="NETWORK SERVICE"), "High_Privilege_Assignment",
    EventCode=1 AND match(CommandLine, "(kerberos::(golden|silver|ptc|purge|ptt)|goldenPac\.py|ticketer\.py|PyKEK|ms14[-_]068|lsadump::(dcsync|lsa)|Invoke-Kerberoast|Request-SPNTicket|sekurlsa::kerberos)"), "Exploit_Tool_Kerberos",
    true(), null()
)
| where isnotnull(DetectionBranch)
| where NOT (EventCode=4769 AND match(ResolvedUser, ".*\$"))
| eval SuspicionScore=case(
    DetectionBranch="Kerberos_RC4_TGS_Anomaly", 4,
    DetectionBranch="Exploit_Tool_Kerberos", 5,
    DetectionBranch="High_Privilege_Assignment", 2,
    true(), 1
)
| table _time, host, ResolvedUser, ResolvedServiceName, ResolvedEncType, ExtSourceIP, PrivilegeList, CommandLine, DetectionBranch, SuspicionScore
| sort - _time

critical severity medium confidence

Data Sources

Authentication: Authentication Logon Session: Logon Session Creation Process: Process Creation Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy applications configured for RC4-only Kerberos that legitimately request krbtgt service tickets
Domain controllers and privileged service accounts receiving SeDebugPrivilege or SeTcbPrivilege through legitimate Group Policy assignments
Authorized penetration testing or red team operations using Mimikatz or Impacket Kerberos modules
Vulnerability scanning tools that probe Kerberos services and generate pre-authentication failures across multiple accounts
Kerberos-integrated monitoring solutions that perform frequent ticket requests as part of health checking

Elastic Security (EQL)

eql

any where
  /* Branch 1: Kerberos RC4 TGS Anomaly — MS14-068 / golden ticket PAC forgery indicator */
  (
    event.code == "4769" and
    winlog.event_data.TicketEncryptionType == "0x17" and
    winlog.event_data.ServiceName : "krbtgt" and
    not winlog.event_data.TargetUserName : "*$" and
    winlog.event_data.TargetUserName != "ANONYMOUS LOGON" and
    winlog.event_data.TargetUserName != ""
  )
  or
  /* Branch 2: Kerberos exploitation tool command line signatures */
  (
    event.category : "process" and
    event.type : "start" and
    process.command_line : (
      "*kerberos::golden*", "*kerberos::silver*", "*kerberos::ptc*",
      "*kerberos::ptt*", "*kerberos::purge*", "*kerberos::list /export*",
      "*goldenPac.py*", "*ticketer.py*", "*PyKEK*",
      "*ms14-068*", "*ms14_068*", "*lsadump::dcsync*",
      "*lsadump::lsa /patch*", "*Invoke-Kerberoast*",
      "*Request-SPNTicket*", "*sekurlsa::kerberos*"
    )
  )
  or
  /* Branch 3: High-privilege special logon on user account — corroborating escalation signal */
  (
    event.code == "4672" and
    winlog.event_data.PrivilegeList : (
      "*SeDebugPrivilege*", "*SeTcbPrivilege*",
      "*SeAssignPrimaryTokenPrivilege*", "*SeTakeOwnershipPrivilege*"
    ) and
    not winlog.event_data.SubjectUserName : "*$" and
    winlog.event_data.SubjectUserName != "SYSTEM" and
    winlog.event_data.SubjectUserName != "LOCAL SERVICE" and
    winlog.event_data.SubjectUserName != "NETWORK SERVICE"
  )

critical severity high confidence

Data Sources

Windows Security Event Log (EventID 4769, 4672) via Winlogbeat or Elastic Agent Sysmon EventID 1 (Process Create) via Winlogbeat or Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legacy applications, printers, NAS devices, or UNIX hosts with Kerberos keytabs configured for RC4-only encryption that genuinely request krbtgt service tickets with RC4-HMAC; validate by cross-referencing the requesting IpAddress against a known legacy device inventory and confirming no subsequent privilege escalation events occur within 5 minutes
Authorized penetration testers or red team operators executing impacket, Mimikatz, or PowerSploit toolsets during a defined engagement window; correlate alert timestamps against approved change management records and tester source IP ranges before escalating — consider populating an exception list by host.name during scheduled assessment periods
Domain administrators or service accounts on privileged access workstations (PAWs) that legitimately hold SeDebugPrivilege for debugging or backup operations; baseline which user/host combinations regularly receive EventID 4672 with these privileges and apply a host-level exception for known PAW systems in your detection tuning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(highlevelcategory) AS EventCategory,
  "Message" AS RawMessage,
  hostname AS HostName,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Sysmon'
  )
  AND eventtime > NOW() - 86400000
  AND (
    /* Branch 1: Kerberos RC4 TGS Anomaly — EventID 4769 RC4-HMAC targeting krbtgt */
    (
      QIDNAME(qid) ILIKE '%Kerberos Service Ticket%'
      AND "Message" ILIKE '%0x17%'
      AND "Message" ILIKE '%krbtgt%'
      AND username NOT LIKE '%$'
      AND username NOT IN ('ANONYMOUS LOGON', '')
    )
    OR
    /* Branch 2: Kerberos exploitation tool command line signatures */
    (
      "Message" ILIKE '%kerberos::golden%'
      OR "Message" ILIKE '%kerberos::silver%'
      OR "Message" ILIKE '%kerberos::ptc%'
      OR "Message" ILIKE '%kerberos::ptt%'
      OR "Message" ILIKE '%kerberos::purge%'
      OR "Message" ILIKE '%goldenPac.py%'
      OR "Message" ILIKE '%ticketer.py%'
      OR "Message" ILIKE '%PyKEK%'
      OR "Message" ILIKE '%ms14-068%'
      OR "Message" ILIKE '%ms14_068%'
      OR "Message" ILIKE '%lsadump::dcsync%'
      OR "Message" ILIKE '%lsadump::lsa%'
      OR "Message" ILIKE '%Invoke-Kerberoast%'
      OR "Message" ILIKE '%Request-SPNTicket%'
      OR "Message" ILIKE '%sekurlsa::kerberos%'
    )
    OR
    /* Branch 3: High-privilege special logon — EventID 4672 with elevated tokens */
    (
      QIDNAME(qid) ILIKE '%Special Privileges Assigned%'
      AND (
        "Message" ILIKE '%SeDebugPrivilege%'
        OR "Message" ILIKE '%SeTcbPrivilege%'
        OR "Message" ILIKE '%SeAssignPrimaryTokenPrivilege%'
        OR "Message" ILIKE '%SeTakeOwnershipPrivilege%'
      )
      AND username NOT LIKE '%$'
      AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
    )
  )
ORDER BY starttime DESC
LIMIT 1000

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM — EventID 4769, 4672) Microsoft Sysmon (QRadar DSM — EventID 1 Process Create)

Required Tables

events

False Positives

Domain controllers in mixed-mode environments serving Kerberos clients that require RC4 encryption (legacy Windows XP remnants, embedded systems, network appliances with RC4-only Kerberos configurations); cross-reference the sourceip field from Branch 1 alerts against a QRadar reference set of approved legacy device IPs and suppress if matched
Authorized red team or penetration testing personnel running impacket, Mimikatz, or Rubeus during a defined assessment engagement; use QRadar building blocks with a time-bounded reference set of approved tester source IPs to suppress Branch 2 alerts during the assessment window and re-enable after close
Enterprise backup or privileged identity management software (e.g., CyberArk Vault, Veeam, Commvault) running under dedicated service accounts that legitimately receive SeAssignPrimaryTokenPrivilege or SeDebugPrivilege for volume shadow copy or credential vault operations; add these service account names to a QRadar reference set and exclude them from Branch 3 rule firing

Sumo Logic CSE

sql

(_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon OR _sourceCategory=OS/Windows)
| parse "EventCode=*" as EventID nodrop
| parse "EventID=*" as EventID nodrop
| parse "Ticket Encryption Type:\t\t*" as TicketEncryptionType nodrop
| parse "Service Name:\t\t\t*" as ServiceName nodrop
| parse "Account Name:\t\t\t*" as TargetUserName nodrop
| parse "Account Name:\t\t*" as SubjectUserName nodrop
| parse "Client Address:\t\t::ffff:*" as SourceIP nodrop
| parse "Privilege List:\t\t*" as PrivilegeList nodrop
| parse "CommandLine: *" as CommandLine nodrop
| where
  /* Branch 1: Kerberos RC4 TGS Anomaly */
  (
    EventID == "4769"
    AND TicketEncryptionType == "0x17"
    AND toLower(ServiceName) == "krbtgt"
    AND !matches(TargetUserName, ".*[$]")
    AND TargetUserName != "ANONYMOUS LOGON"
  )
  OR
  /* Branch 2: Kerberos exploitation tool signatures via Sysmon EventID 1 */
  (
    EventID == "1"
    AND (
      matches(CommandLine, "(?i).*(kerberos::(golden|silver|ptc|ptt|purge|list)).*")
      OR matches(CommandLine, "(?i).*(ms14[-_]068).*")
      OR matches(CommandLine, "(?i).*(lsadump::(dcsync|lsa)).*")
      OR matches(CommandLine, "(?i).*(Invoke-Kerberoast|Request-SPNTicket).*")
      OR matches(CommandLine, "(?i).*(goldenPac[.]py|ticketer[.]py|PyKEK).*")
      OR matches(CommandLine, "(?i).*(sekurlsa::kerberos).*")
    )
  )
  OR
  /* Branch 3: High-privilege special logon */
  (
    EventID == "4672"
    AND matches(PrivilegeList, ".*(SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege).*")
    AND !matches(SubjectUserName, ".*[$]")
    AND !(SubjectUserName in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE"))
  )
| eval DetectionBranch = if(EventID == "4769", "Kerberos_RC4_TGS_Anomaly",
    if(EventID == "1", "Exploit_Tool_Kerberos",
    if(EventID == "4672", "High_Privilege_Assignment", "Unknown")))
| eval SuspicionScore = if(DetectionBranch == "Exploit_Tool_Kerberos", 5,
    if(DetectionBranch == "Kerberos_RC4_TGS_Anomaly", 4, 2))
| fields _messageTime, _sourceHost, TargetUserName, SubjectUserName, ServiceName, TicketEncryptionType, SourceIP, CommandLine, PrivilegeList, DetectionBranch, SuspicionScore
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Windows collector or installed collector (EventID 4769, 4672) Sysmon EventID 1 (Process Create) via Sumo Logic Windows collector

Required Tables

Sumo Logic partitions indexed under Windows/Security and Windows/Sysmon source categories

False Positives

Third-party identity federation products, network appliances (e.g., F5 APM, Citrix StoreFront), or UNIX hosts with Kerberos keytabs configured for RC4 that request krbtgt service tickets using RC4-HMAC; validate Branch 1 alerts by checking _sourceHost and SourceIP against a known-legacy-device lookup table maintained in a Sumo Logic lookup file
Security audit tooling — BloodHound ingestors, PingCastle, or internal Kerberoasting scripts run by the identity security team — that execute PowerShell with Invoke-Kerberoast or Request-SPNTicket on a scheduled basis; coordinate with the identity team to document scan schedules and use Sumo Logic scheduled suppression via alert muting during those windows
Enterprise backup agents (Veeam, Commvault, NetBackup) running under service accounts with SeAssignPrimaryTokenPrivilege or SeDebugPrivilege for volume shadow copy integration; use a Sumo Logic lookup file mapping service account names to approved hosts and join it to Branch 3 results to auto-enrich and filter before alerting

Google Chronicle / SecOps

yaral

rule t1212_exploitation_for_credential_access {
  meta:
    author = "Argus Detection Platform"
    description = "Detects T1212 Exploitation for Credential Access: Kerberos RC4 TGS anomalies (MS14-068/golden ticket PAC forgery), Kerberos exploitation tool signatures (Mimikatz, impacket, PowerSploit), and high-privilege escalation on user accounts"
    severity = "CRITICAL"
    mitre_attack_technique = "T1212"
    mitre_attack_tactic = "Credential Access"
    confidence = "HIGH"
    version = "1.0"

  events:
    (
      /* Branch 1: Kerberos RC4 TGS Anomaly — EventID 4769 with RC4-HMAC targeting krbtgt */
      (
        $e.metadata.vendor_name = "Microsoft" and
        $e.metadata.product_event_type = "4769" and
        re.regex($e.target.resource.name, `(?i)^krbtgt`) and
        re.regex($e.extensions.auth.auth_details, `0x17`) and
        not re.regex($e.principal.user.userid, `\$`) and
        $e.principal.user.userid != "ANONYMOUS LOGON" and
        $e.principal.user.userid != ""
      )
      or
      /* Branch 2: Kerberos exploitation tool command line signatures */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line, `(?i)kerberos::(golden|silver|ptc|ptt|purge|list)`) or
          re.regex($e.target.process.command_line, `(?i)ms14[-_]068`) or
          re.regex($e.target.process.command_line, `(?i)lsadump::(dcsync|lsa)`) or
          re.regex($e.target.process.command_line, `(?i)(Invoke-Kerberoast|Request-SPNTicket|Get-KerberosTicketGrantingTicket)`) or
          re.regex($e.target.process.command_line, `(?i)(goldenPac\.py|ticketer\.py)`) or
          re.regex($e.target.process.command_line, `(?i)sekurlsa::kerberos`) or
          re.regex($e.target.process.command_line, `(?i)PyKEK`)
        )
      )
      or
      /* Branch 3: High-privilege special logon — EventID 4672 with elevated tokens on user account */
      (
        $e.metadata.vendor_name = "Microsoft" and
        $e.metadata.product_event_type = "4672" and
        (
          re.regex($e.extensions.auth.auth_details, `SeDebugPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeTcbPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeAssignPrimaryTokenPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeTakeOwnershipPrivilege`)
        ) and
        not re.regex($e.principal.user.userid, `\$`) and
        $e.principal.user.userid != "SYSTEM" and
        $e.principal.user.userid != "LOCAL SERVICE" and
        $e.principal.user.userid != "NETWORK SERVICE"
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle with Windows Security Event Log ingestion (EventID 4769, 4672 normalized to UDM) Chronicle Sysmon or Microsoft Defender for Endpoint UDM parser for PROCESS_LAUNCH events

Required Tables

Chronicle UDM event store (evaluated by YARA-L detection engine)

False Positives

Kerberos authentication from legacy clients (pre-Vista Windows hosts, UNIX systems with MIT Kerberos using RC4-only keytabs, or older network appliances) that genuinely request RC4-encrypted tickets for legitimate services and occasionally request a krbtgt-related ticket; build a YARA-L exception rule that suppresses Branch 1 when principal.ip matches a reference list of known legacy host IPs maintained in Chronicle's reference list feature
Authorized red team or purple team exercises conducting TIBER-EU, CBEST, or internal adversary simulation programs that execute Mimikatz, impacket, or Rubeus as part of approved attack scenarios; Chronicle detection rules can be temporarily suppressed by rule ID or tagged for review-only during approved engagement windows using the Chronicle alert exclusion or rule deactivation capability
EDR or PAM platform agents (CrowdStrike Falcon sensor, CyberArk CPM, BeyondTrust) running under local service accounts that may appear as user principals in UDM normalization and trigger Branch 3 when their service processes receive elevated tokens; validate by confirming target.process.file.full_path matches known security software installation paths before escalating

CrowdStrike LogScale (CQL)

cql

// T1212 - Exploitation for Credential Access
// Branch 2 (primary Falcon-native): Kerberos exploitation tool signatures via ProcessRollup2
#event_simpleName=ProcessRollup2
| CommandLine=/(?i)(kerberos::(golden|silver|ptc|ptt|purge|list\/export)|ms14[-_]068|lsadump::(dcsync|lsa(\s+\/patch)?)|Invoke-Kerberoast|Request-SPNTicket|Get-KerberosTicketGrantingTicket|goldenPac\.py|ticketer\.py|sekurlsa::kerberos|PyKEK)/
| eval(DetectionBranch:="Exploit_Tool_Kerberos", SuspicionScore:=5)
| union {
    // Branch 1: Kerberos RC4 TGS Anomaly
    // Requires Windows Security Event Log forwarding to LogScale
    #event_simpleName=SecurityEvent EventCode=4769
    | TicketEncryptionType="0x17"
    | ServiceName=/(?i)^krbtgt/
    | UserName!=/.*[\$]$/
    | UserName!="ANONYMOUS LOGON"
    | eval(DetectionBranch:="Kerberos_RC4_TGS_Anomaly", SuspicionScore:=4)
}
| union {
    // Branch 3: High-privilege special logon
    // Requires Windows Security Event Log forwarding to LogScale
    #event_simpleName=SecurityEvent EventCode=4672
    | PrivilegeList=/SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege/
    | SubjectUserName!=/.*[\$]$/
    | SubjectUserName!="SYSTEM"
    | SubjectUserName!="LOCAL SERVICE"
    | SubjectUserName!="NETWORK SERVICE"
    | eval(DetectionBranch:="High_Privilege_Assignment", SuspicionScore:=2)
}
| sort(field=@timestamp, order=desc)
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentProcessId, DetectionBranch, SuspicionScore])

critical severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events (native — Branch 2) Windows Security Event Log forwarded to CrowdStrike LogScale via Windows Event Log data source connector (Branches 1 and 3)

Required Tables

ProcessRollup2 (Falcon native event stream) SecurityEvent (Windows Event Log forwarding — required for Branches 1 and 3)

False Positives

IT administrators or DevOps engineers running impacket utilities (GetST.py, secretsdump.py, ticketer.py) for legitimate Kerberos service account diagnostics, SPN auditing, or cross-realm trust testing during a change window; Falcon ProcessRollup2 captures full CommandLine and ParentProcessId — examine the parent process chain (e.g., python.exe spawned from cmd.exe launched from an interactive terminal vs. a scripting engine) and the initiating user's normal behavioral baseline to distinguish authorized usage from exploitation
Security operations tooling such as BloodHound collection scripts, PingCastle Kerberos audits, or internal Kerberoasting assessment scripts run by the identity security team on a scheduled cadence to identify accounts with crackable service ticket hashes; coordinate with the identity team to document scan schedules, record the scanning host's ComputerName, and add temporary suppression by ComputerName in LogScale during approved audit windows
Antivirus or behavioral analysis engines that inspect Kerberos ticket data structures for malware detection, generating synthetic process events with Kerberos-related string artifacts in command line fields; validate by checking the FileName field against known security product installation paths (e.g., C:\\Program Files\\vendor\\) and verifying the SHA256 hash of the triggering executable against a trusted binary inventory in Falcon's IOC management

Last updated: 2026-04-19 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation for Credential Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections