Detect Exploitation for Credential Access in IBM QRadar
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
username AS AccountName,
QIDNAME(qid) AS EventName,
CATEGORYNAME(highlevelcategory) AS EventCategory,
"Message" AS RawMessage,
hostname AS HostName,
LOGSOURCETYPENAME(devicetype) AS LogSourceType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN (
'Microsoft Windows Security Event Log',
'Microsoft Sysmon'
)
AND eventtime > NOW() - 86400000
AND (
/* Branch 1: Kerberos RC4 TGS Anomaly — EventID 4769 RC4-HMAC targeting krbtgt */
(
QIDNAME(qid) ILIKE '%Kerberos Service Ticket%'
AND "Message" ILIKE '%0x17%'
AND "Message" ILIKE '%krbtgt%'
AND username NOT LIKE '%$'
AND username NOT IN ('ANONYMOUS LOGON', '')
)
OR
/* Branch 2: Kerberos exploitation tool command line signatures */
(
"Message" ILIKE '%kerberos::golden%'
OR "Message" ILIKE '%kerberos::silver%'
OR "Message" ILIKE '%kerberos::ptc%'
OR "Message" ILIKE '%kerberos::ptt%'
OR "Message" ILIKE '%kerberos::purge%'
OR "Message" ILIKE '%goldenPac.py%'
OR "Message" ILIKE '%ticketer.py%'
OR "Message" ILIKE '%PyKEK%'
OR "Message" ILIKE '%ms14-068%'
OR "Message" ILIKE '%ms14_068%'
OR "Message" ILIKE '%lsadump::dcsync%'
OR "Message" ILIKE '%lsadump::lsa%'
OR "Message" ILIKE '%Invoke-Kerberoast%'
OR "Message" ILIKE '%Request-SPNTicket%'
OR "Message" ILIKE '%sekurlsa::kerberos%'
)
OR
/* Branch 3: High-privilege special logon — EventID 4672 with elevated tokens */
(
QIDNAME(qid) ILIKE '%Special Privileges Assigned%'
AND (
"Message" ILIKE '%SeDebugPrivilege%'
OR "Message" ILIKE '%SeTcbPrivilege%'
OR "Message" ILIKE '%SeAssignPrimaryTokenPrivilege%'
OR "Message" ILIKE '%SeTakeOwnershipPrivilege%'
)
AND username NOT LIKE '%$'
AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
)
)
ORDER BY starttime DESC
LIMIT 1000QRadar AQL detection for T1212 Exploitation for Credential Access querying the events table for Windows Security Event Log and Sysmon log sources over the prior 24 hours. Branch 1 matches Kerberos service ticket request events where the raw message contains RC4-HMAC (0x17) encryption type and krbtgt service name — the canonical MS14-068 PAC forgery and golden ticket indicator. Branch 2 scans raw Message content for Kerberos exploitation tool command line signatures (Mimikatz, impacket, PyKEK, PowerSploit) captured by Sysmon EventID 1 process creation events. Branch 3 matches special privilege assignment events where the raw message indicates dangerous privilege tokens assigned to non-system accounts. Message-field scanning covers normalized and raw log text and is resilient to field normalization differences across QRadar DSMs. Tune Branch 3 by populating a QRadar reference set with known privileged account names that legitimately hold these privileges.
Data Sources
Required Tables
False Positives & Tuning
- Domain controllers in mixed-mode environments serving Kerberos clients that require RC4 encryption (legacy Windows XP remnants, embedded systems, network appliances with RC4-only Kerberos configurations); cross-reference the sourceip field from Branch 1 alerts against a QRadar reference set of approved legacy device IPs and suppress if matched
- Authorized red team or penetration testing personnel running impacket, Mimikatz, or Rubeus during a defined assessment engagement; use QRadar building blocks with a time-bounded reference set of approved tester source IPs to suppress Branch 2 alerts during the assessment window and re-enable after close
- Enterprise backup or privileged identity management software (e.g., CyberArk Vault, Veeam, Commvault) running under dedicated service accounts that legitimately receive SeAssignPrimaryTokenPrivilege or SeDebugPrivilege for volume shadow copy or credential vault operations; add these service account names to a QRadar reference set and exclude them from Branch 3 rule firing
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.