Detect Exploitation for Credential Access in Microsoft Sentinel
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
KQL Detection Query
let LookbackPeriod = 24h;
// Branch 1: Kerberos TGS requests using RC4 encryption for krbtgt service
// RC4-HMAC (0x17) for krbtgt TGS is a classic MS14-068 / forged ticket indicator in AES-capable environments
let KerberosTGSAnomalies = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4-HMAC — suspicious when AES-256 (0x12) expected
| where ServiceName =~ "krbtgt" // Forged TGTs always request krbtgt service ticket
| where TargetUserName !endswith "$" // Exclude machine accounts
| where TargetUserName !in~ ("ANONYMOUS LOGON", "")
| extend DetectionBranch = "Kerberos_RC4_TGS_Anomaly"
| project TimeGenerated, Computer,
AccountName = TargetUserName,
Detail = strcat("Service:", ServiceName, " EncType:", TicketEncryptionType, " SrcIP:", IpAddress, " Options:", TicketOptions),
DetectionBranch;
// Branch 2: Known Kerberos exploitation and credential access tool signatures in process events
let ExploitToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where ProcessCommandLine has_any (
"kerberos::golden", "kerberos::silver", "kerberos::ptc", "kerberos::purge",
"sekurlsa::kerberos", "lsadump::dcsync", "lsadump::lsa /patch",
"goldenPac.py", "ticketer.py", "PyKEK", "ms14-068", "ms14_068",
"Invoke-Kerberoast", "Request-SPNTicket", "Get-KerberosTicketGrantingTicket",
"kerberos::list /export", "kerberos::ptt"
)
| extend DetectionBranch = "Exploit_Tool_Kerberos"
| project TimeGenerated = Timestamp, Computer = DeviceName,
AccountName,
Detail = ProcessCommandLine,
DetectionBranch;
// Branch 3: Kerberos pre-authentication failure sweep — multiple failures across accounts from single source
let KerberosExploitSweep = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4771
| where TargetUserName !endswith "$"
| summarize FailureCount = count(),
AffectedAccounts = dcount(TargetUserName),
Codes = make_set(Status, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by IpAddress, Computer, bin(TimeGenerated, 10m)
| where FailureCount >= 5 and AffectedAccounts >= 2
| extend DetectionBranch = "Kerberos_Exploit_Sweep"
| project TimeGenerated = LastSeen, Computer,
AccountName = strcat("Multiple (", tostring(AffectedAccounts), " accounts)"),
Detail = strcat("Failures:", FailureCount, " Accounts:", AffectedAccounts, " SrcIP:", IpAddress, " Codes:", tostring(Codes)),
DetectionBranch;
// Branch 4: Temporal correlation — Kerberos RC4 anomaly followed by high-privilege logon within 5 minutes
let RecentKerberosAnomaly = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| where TicketEncryptionType == "0x17" and ServiceName =~ "krbtgt"
| where TargetUserName !endswith "$"
| project KerberosTime = TimeGenerated, Computer, AnomalousUser = TargetUserName;
let PrivilegeEscalation = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4672
| where PrivilegeList has_any ("SeDebugPrivilege", "SeTcbPrivilege", "SeAssignPrimaryTokenPrivilege", "SeTakeOwnershipPrivilege")
| where SubjectUserName !endswith "$"
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| project EscalationTime = TimeGenerated, Computer, EscalatedUser = SubjectUserName, Privileges = PrivilegeList;
let KerberosPrivEscChain = RecentKerberosAnomaly
| join kind=inner PrivilegeEscalation on Computer
| where EscalationTime > KerberosTime and EscalationTime <= KerberosTime + 5m
| where AnomalousUser =~ EscalatedUser
| extend DetectionBranch = "Kerberos_Exploit_PrivEsc_Chain"
| project TimeGenerated = EscalationTime, Computer,
AccountName = EscalatedUser,
Detail = strcat("Kerberos RC4 anomaly at:", tostring(KerberosTime), " — privilege escalation:", Privileges),
DetectionBranch;
// Union all detection branches
union KerberosTGSAnomalies, ExploitToolExecution, KerberosExploitSweep, KerberosPrivEscChain
| sort by TimeGenerated descMulti-branch detection for T1212 Exploitation for Credential Access using Microsoft Sentinel SecurityEvent and Defender for Endpoint telemetry. Branch 1 identifies Kerberos TGS requests using RC4-HMAC (0x17) encryption against the krbtgt service — the hallmark of MS14-068 PAC forgery and golden/silver ticket attacks in modern AES-capable Active Directory environments. Branch 2 matches command-line patterns for known Kerberos exploitation tools including Mimikatz kerberos:: modules, goldenPac.py, PyKEK, and Kerberoasting scripts. Branch 3 detects automated exploitation sweeps by aggregating Kerberos pre-authentication failures (Event 4771) across multiple accounts from a single source within a 10-minute window. Branch 4 provides temporal correlation between Kerberos anomalies and subsequent high-privilege logon events (Event 4672) within 5 minutes, indicating a successful exploitation chain.
Data Sources
Required Tables
False Positives & Tuning
- Legacy applications or domain-joined systems configured to only support RC4 Kerberos encryption that legitimately request krbtgt TGS tickets with TicketEncryptionType 0x17
- Environments with mixed encryption policy (GPO: Network security: Configure encryption types allowed for Kerberos) where RC4 is explicitly permitted for compatibility with older systems
- Authorized penetration testing or red team exercises using Kerberoasting, Mimikatz, or MS14-068 proof-of-concept tools — correlate with change management tickets and known testing windows
- Monitoring, backup, or ITSM agents making frequent Kerberos service ticket requests that may trigger the pre-authentication failure sweep threshold
- Domain controller promotion, demotion, or inter-site replication operations that trigger EventID 4672 with elevated privileges on DC accounts
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.