Detect Exploitation for Credential Access in Splunk
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
SPL Detection Query
((index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4769 OR EventCode=4771 OR EventCode=4672))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine="*kerberos::golden*" OR CommandLine="*kerberos::silver*" OR CommandLine="*kerberos::ptc*"
OR CommandLine="*kerberos::purge*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*goldenPac.py*"
OR CommandLine="*ticketer.py*" OR CommandLine="*PyKEK*" OR CommandLine="*ms14-068*"
OR CommandLine="*ms14_068*" OR CommandLine="*lsadump::dcsync*" OR CommandLine="*lsadump::lsa*"
OR CommandLine="*Invoke-Kerberoast*" OR CommandLine="*Request-SPNTicket*"
OR CommandLine="*sekurlsa::kerberos*" OR CommandLine="*kerberos::list*")))
| rex field=_raw "Service Name:\s+(?<ExtServiceName>[^\r\n]+)"
| rex field=_raw "Ticket Encryption Type:\s+(?<ExtTicketEncType>0x[0-9a-fA-F]+)"
| rex field=_raw "Account Name:\s+(?<ExtTargetAccount>[^\r\n]+)"
| rex field=_raw "Client Address:\s+(?:::ffff:)?(?<ExtSourceIP>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
| eval ResolvedServiceName=coalesce(ServiceName, ExtServiceName)
| eval ResolvedEncType=coalesce(TicketEncryptionType, ExtTicketEncType)
| eval ResolvedUser=coalesce(TargetUserName, ExtTargetAccount, User)
| eval DetectionBranch=case(
EventCode=4769 AND ResolvedEncType="0x17" AND (ResolvedServiceName="krbtgt" OR ExtServiceName="krbtgt"), "Kerberos_RC4_TGS_Anomaly",
EventCode=4672 AND match(PrivilegeList, "(SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege)") AND NOT match(ResolvedUser, ".*\$") AND NOT (ResolvedUser="SYSTEM" OR ResolvedUser="LOCAL SERVICE" OR ResolvedUser="NETWORK SERVICE"), "High_Privilege_Assignment",
EventCode=1 AND match(CommandLine, "(kerberos::(golden|silver|ptc|purge|ptt)|goldenPac\.py|ticketer\.py|PyKEK|ms14[-_]068|lsadump::(dcsync|lsa)|Invoke-Kerberoast|Request-SPNTicket|sekurlsa::kerberos)"), "Exploit_Tool_Kerberos",
true(), null()
)
| where isnotnull(DetectionBranch)
| where NOT (EventCode=4769 AND match(ResolvedUser, ".*\$"))
| eval SuspicionScore=case(
DetectionBranch="Kerberos_RC4_TGS_Anomaly", 4,
DetectionBranch="Exploit_Tool_Kerberos", 5,
DetectionBranch="High_Privilege_Assignment", 2,
true(), 1
)
| table _time, host, ResolvedUser, ResolvedServiceName, ResolvedEncType, ExtSourceIP, PrivilegeList, CommandLine, DetectionBranch, SuspicionScore
| sort - _timeMulti-branch SPL detection for T1212 across Windows Security logs and Sysmon process creation events. The query combines EventCode 4769 (Kerberos service ticket requests with RC4 encryption for krbtgt), EventCode 4672 (special privilege assignments to non-system accounts), and Sysmon EventCode 1 process creation matching known Kerberos exploitation tool command-line patterns. Field extraction uses rex against raw events as a fallback for environments where Windows TA field parsing may differ. SuspicionScore (1-5) prioritizes alerts: score 5 for confirmed exploit tool execution, score 4 for RC4 krbtgt anomalies, score 2 for privilege assignments following potential exploitation. Analysts should focus triage on scores >= 4.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legacy applications configured for RC4-only Kerberos that legitimately request krbtgt service tickets
- Domain controllers and privileged service accounts receiving SeDebugPrivilege or SeTcbPrivilege through legitimate Group Policy assignments
- Authorized penetration testing or red team operations using Mimikatz or Impacket Kerberos modules
- Vulnerability scanning tools that probe Kerberos services and generate pre-authentication failures across multiple accounts
- Kerberos-integrated monitoring solutions that perform frequent ticket requests as part of health checking
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.