T1212 Google Chronicle · YARA-L

Detect Exploitation for Credential Access in Google Chronicle

Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1212 Exploitation for Credential Access
Canonical reference
https://attack.mitre.org/techniques/T1212/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1212_exploitation_for_credential_access {
  meta:
    author = "Argus Detection Platform"
    description = "Detects T1212 Exploitation for Credential Access: Kerberos RC4 TGS anomalies (MS14-068/golden ticket PAC forgery), Kerberos exploitation tool signatures (Mimikatz, impacket, PowerSploit), and high-privilege escalation on user accounts"
    severity = "CRITICAL"
    mitre_attack_technique = "T1212"
    mitre_attack_tactic = "Credential Access"
    confidence = "HIGH"
    version = "1.0"

  events:
    (
      /* Branch 1: Kerberos RC4 TGS Anomaly — EventID 4769 with RC4-HMAC targeting krbtgt */
      (
        $e.metadata.vendor_name = "Microsoft" and
        $e.metadata.product_event_type = "4769" and
        re.regex($e.target.resource.name, `(?i)^krbtgt`) and
        re.regex($e.extensions.auth.auth_details, `0x17`) and
        not re.regex($e.principal.user.userid, `\$`) and
        $e.principal.user.userid != "ANONYMOUS LOGON" and
        $e.principal.user.userid != ""
      )
      or
      /* Branch 2: Kerberos exploitation tool command line signatures */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.command_line, `(?i)kerberos::(golden|silver|ptc|ptt|purge|list)`) or
          re.regex($e.target.process.command_line, `(?i)ms14[-_]068`) or
          re.regex($e.target.process.command_line, `(?i)lsadump::(dcsync|lsa)`) or
          re.regex($e.target.process.command_line, `(?i)(Invoke-Kerberoast|Request-SPNTicket|Get-KerberosTicketGrantingTicket)`) or
          re.regex($e.target.process.command_line, `(?i)(goldenPac\.py|ticketer\.py)`) or
          re.regex($e.target.process.command_line, `(?i)sekurlsa::kerberos`) or
          re.regex($e.target.process.command_line, `(?i)PyKEK`)
        )
      )
      or
      /* Branch 3: High-privilege special logon — EventID 4672 with elevated tokens on user account */
      (
        $e.metadata.vendor_name = "Microsoft" and
        $e.metadata.product_event_type = "4672" and
        (
          re.regex($e.extensions.auth.auth_details, `SeDebugPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeTcbPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeAssignPrimaryTokenPrivilege`) or
          re.regex($e.extensions.auth.auth_details, `SeTakeOwnershipPrivilege`)
        ) and
        not re.regex($e.principal.user.userid, `\$`) and
        $e.principal.user.userid != "SYSTEM" and
        $e.principal.user.userid != "LOCAL SERVICE" and
        $e.principal.user.userid != "NETWORK SERVICE"
      )
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 detection rule for T1212 Exploitation for Credential Access. Branch 1 matches Windows EventID 4769 (Kerberos service ticket operations) where the target resource is krbtgt and auth_details indicate RC4-HMAC (0x17) encryption in the UDM extensions field — the canonical indicator of MS14-068 PAC privilege attribute certificate forgery or golden ticket forging using Mimikatz kerberos::golden in AES-capable domains. Branch 2 matches PROCESS_LAUNCH events where the command line contains signatures from known Kerberos exploitation tooling: Mimikatz kerberos::golden/silver/ptc/ptt/purge and lsadump::dcsync/lsa, impacket goldenPac.py and ticketer.py, PyKEK (MS14-068 PoC), and PowerSploit Invoke-Kerberoast/Request-SPNTicket. Branch 3 matches EventID 4672 where dangerous privilege tokens are assigned to non-system non-machine-account principals as a post-exploitation corroborating signal. The rule uses a single event variable $e with OR logic across all branches. Windows Security Events must be normalized to UDM with product_event_type as string EventID. PROCESS_LAUNCH events require Sysmon or MDE telemetry ingested through the appropriate Chronicle parser.

Data Sources

Google Chronicle with Windows Security Event Log ingestion (EventID 4769, 4672 normalized to UDM)Chronicle Sysmon or Microsoft Defender for Endpoint UDM parser for PROCESS_LAUNCH events

Required Tables

Chronicle UDM event store (evaluated by YARA-L detection engine)

False Positives & Tuning

  • Kerberos authentication from legacy clients (pre-Vista Windows hosts, UNIX systems with MIT Kerberos using RC4-only keytabs, or older network appliances) that genuinely request RC4-encrypted tickets for legitimate services and occasionally request a krbtgt-related ticket; build a YARA-L exception rule that suppresses Branch 1 when principal.ip matches a reference list of known legacy host IPs maintained in Chronicle's reference list feature
  • Authorized red team or purple team exercises conducting TIBER-EU, CBEST, or internal adversary simulation programs that execute Mimikatz, impacket, or Rubeus as part of approved attack scenarios; Chronicle detection rules can be temporarily suppressed by rule ID or tagged for review-only during approved engagement windows using the Chronicle alert exclusion or rule deactivation capability
  • EDR or PAM platform agents (CrowdStrike Falcon sensor, CyberArk CPM, BeyondTrust) running under local service accounts that may appear as user principals in UDM normalization and trigger Branch 3 when their service processes receive elevated tokens; validate by confirming target.process.file.full_path matches known security software installation paths before escalating
Download portable Sigma rule (.yml)

Other platforms for T1212

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)

    Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.

  2. Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)

    Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.

  3. Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection

    Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.

  4. Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)

    Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.

Last updated: 2026-04-19 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.001Golden TicketT1558.003KerberoastingT1550.003Pass the TicketT1557Adversary-in-the-MiddleT1003OS Credential DumpingT1068Exploitation for Privilege EscalationT1562.001Disable or Modify ToolsT1078.002Domain Accounts

Same Tactic: Credential Access

Popular Detections