Detect Exploitation for Credential Access in CrowdStrike LogScale
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
LogScale Detection Query
// T1212 - Exploitation for Credential Access
// Branch 2 (primary Falcon-native): Kerberos exploitation tool signatures via ProcessRollup2
#event_simpleName=ProcessRollup2
| CommandLine=/(?i)(kerberos::(golden|silver|ptc|ptt|purge|list\/export)|ms14[-_]068|lsadump::(dcsync|lsa(\s+\/patch)?)|Invoke-Kerberoast|Request-SPNTicket|Get-KerberosTicketGrantingTicket|goldenPac\.py|ticketer\.py|sekurlsa::kerberos|PyKEK)/
| eval(DetectionBranch:="Exploit_Tool_Kerberos", SuspicionScore:=5)
| union {
// Branch 1: Kerberos RC4 TGS Anomaly
// Requires Windows Security Event Log forwarding to LogScale
#event_simpleName=SecurityEvent EventCode=4769
| TicketEncryptionType="0x17"
| ServiceName=/(?i)^krbtgt/
| UserName!=/.*[\$]$/
| UserName!="ANONYMOUS LOGON"
| eval(DetectionBranch:="Kerberos_RC4_TGS_Anomaly", SuspicionScore:=4)
}
| union {
// Branch 3: High-privilege special logon
// Requires Windows Security Event Log forwarding to LogScale
#event_simpleName=SecurityEvent EventCode=4672
| PrivilegeList=/SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege/
| SubjectUserName!=/.*[\$]$/
| SubjectUserName!="SYSTEM"
| SubjectUserName!="LOCAL SERVICE"
| SubjectUserName!="NETWORK SERVICE"
| eval(DetectionBranch:="High_Privilege_Assignment", SuspicionScore:=2)
}
| sort(field=@timestamp, order=desc)
| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentProcessId, DetectionBranch, SuspicionScore])CrowdStrike LogScale CQL detection for T1212 Exploitation for Credential Access using three union branches with suspicion scoring. Branch 2 (Exploit_Tool_Kerberos, score 5) is the primary Falcon-native detection using ProcessRollup2 telemetry — no additional log forwarding required; matches command lines from Mimikatz kerberos::golden/silver/ptc/ptt/purge and lsadump::dcsync/lsa modules, impacket goldenPac.py and ticketer.py scripts, PyKEK (MS14-068 Python exploit), and PowerSploit Invoke-Kerberoast and Request-SPNTicket cmdlets captured by the Falcon sensor at process creation time. Branch 1 (Kerberos_RC4_TGS_Anomaly, score 4) requires Windows Security Event Log forwarding to LogScale; matches EventCode 4769 with RC4-HMAC (0x17) encryption type targeting krbtgt — the canonical MS14-068 and golden ticket pre-deployment indicator. Branch 3 (High_Privilege_Assignment, score 2) also requires Windows Event Log forwarding; matches EventCode 4672 with elevated privilege tokens on non-system accounts as a corroborating post-exploitation signal. In CrowdStrike-only deployments without centralized SIEM log forwarding, rely on Branch 2 as the standalone detection; Branches 1 and 3 require the LogScale Windows Event Log data source connector to be configured.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators or DevOps engineers running impacket utilities (GetST.py, secretsdump.py, ticketer.py) for legitimate Kerberos service account diagnostics, SPN auditing, or cross-realm trust testing during a change window; Falcon ProcessRollup2 captures full CommandLine and ParentProcessId — examine the parent process chain (e.g., python.exe spawned from cmd.exe launched from an interactive terminal vs. a scripting engine) and the initiating user's normal behavioral baseline to distinguish authorized usage from exploitation
- Security operations tooling such as BloodHound collection scripts, PingCastle Kerberos audits, or internal Kerberoasting assessment scripts run by the identity security team on a scheduled cadence to identify accounts with crackable service ticket hashes; coordinate with the identity team to document scan schedules, record the scanning host's ComputerName, and add temporary suppression by ComputerName in LogScale during approved audit windows
- Antivirus or behavioral analysis engines that inspect Kerberos ticket data structures for malware detection, generating synthetic process events with Kerberos-related string artifacts in command line fields; validate by checking the FileName field against known security product installation paths (e.g., C:\\Program Files\\vendor\\) and verifying the SHA256 hash of the triggering executable against a trusted binary inventory in Falcon's IOC management
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.