Detect Exploitation for Credential Access in Elastic Security
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
Elastic Detection Query
any where
/* Branch 1: Kerberos RC4 TGS Anomaly — MS14-068 / golden ticket PAC forgery indicator */
(
event.code == "4769" and
winlog.event_data.TicketEncryptionType == "0x17" and
winlog.event_data.ServiceName : "krbtgt" and
not winlog.event_data.TargetUserName : "*$" and
winlog.event_data.TargetUserName != "ANONYMOUS LOGON" and
winlog.event_data.TargetUserName != ""
)
or
/* Branch 2: Kerberos exploitation tool command line signatures */
(
event.category : "process" and
event.type : "start" and
process.command_line : (
"*kerberos::golden*", "*kerberos::silver*", "*kerberos::ptc*",
"*kerberos::ptt*", "*kerberos::purge*", "*kerberos::list /export*",
"*goldenPac.py*", "*ticketer.py*", "*PyKEK*",
"*ms14-068*", "*ms14_068*", "*lsadump::dcsync*",
"*lsadump::lsa /patch*", "*Invoke-Kerberoast*",
"*Request-SPNTicket*", "*sekurlsa::kerberos*"
)
)
or
/* Branch 3: High-privilege special logon on user account — corroborating escalation signal */
(
event.code == "4672" and
winlog.event_data.PrivilegeList : (
"*SeDebugPrivilege*", "*SeTcbPrivilege*",
"*SeAssignPrimaryTokenPrivilege*", "*SeTakeOwnershipPrivilege*"
) and
not winlog.event_data.SubjectUserName : "*$" and
winlog.event_data.SubjectUserName != "SYSTEM" and
winlog.event_data.SubjectUserName != "LOCAL SERVICE" and
winlog.event_data.SubjectUserName != "NETWORK SERVICE"
)Detects T1212 Exploitation for Credential Access via three branches: (1) EventID 4769 with RC4-HMAC (0x17) encryption targeting krbtgt — the definitive MS14-068 PAC forgery and golden ticket pre-deployment indicator in AES-capable domains; (2) process command line signatures for known Kerberos exploitation tools including Mimikatz kerberos:: and lsadump:: modules, impacket goldenPac/ticketer scripts, PyKEK, and PowerSploit Invoke-Kerberoast; (3) EventID 4672 high-privilege special logon assignment granting SeDebugPrivilege or SeTcbPrivilege to non-system non-machine-account principals as a corroborating post-exploitation signal. Requires Winlogbeat or Elastic Agent with Windows integration for Security Event Log collection and Sysmon forwarding for process command line visibility.
Data Sources
Required Tables
False Positives & Tuning
- Legacy applications, printers, NAS devices, or UNIX hosts with Kerberos keytabs configured for RC4-only encryption that genuinely request krbtgt service tickets with RC4-HMAC; validate by cross-referencing the requesting IpAddress against a known legacy device inventory and confirming no subsequent privilege escalation events occur within 5 minutes
- Authorized penetration testers or red team operators executing impacket, Mimikatz, or PowerSploit toolsets during a defined engagement window; correlate alert timestamps against approved change management records and tester source IP ranges before escalating — consider populating an exception list by host.name during scheduled assessment periods
- Domain administrators or service accounts on privileged access workstations (PAWs) that legitimately hold SeDebugPrivilege for debugging or backup operations; baseline which user/host combinations regularly receive EventID 4672 with these privileges and apply a host-level exception for known PAW systems in your detection tuning
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.