Detect Exploitation for Credential Access in Sumo Logic CSE
Adversaries may exploit software vulnerabilities in authentication systems, operating system components, or cloud infrastructure to collect credentials or obtain authenticated access without valid credentials. Exploitation targets include Kerberos protocol implementations (e.g., MS14-068 allowing domain user accounts to forge PAC data in TGTs and gain domain admin-equivalent access), authentication token validation weaknesses enabling replay attacks where intercepted tokens are reused, and cloud identity provider flaws permitting unauthorized token creation or renewal (e.g., Storm-0558 exploiting a Microsoft consumer signing key to forge Azure AD access tokens). Unlike credential dumping or brute force, exploitation techniques may yield highly privileged or long-lived credential material with fewer authentication failure artifacts. Successful exploitation may also result in privilege escalation depending on the targeted process or credentials obtained.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1212 Exploitation for Credential Access
- Canonical reference
- https://attack.mitre.org/techniques/T1212/
Sumo Detection Query
(_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon OR _sourceCategory=OS/Windows)
| parse "EventCode=*" as EventID nodrop
| parse "EventID=*" as EventID nodrop
| parse "Ticket Encryption Type:\t\t*" as TicketEncryptionType nodrop
| parse "Service Name:\t\t\t*" as ServiceName nodrop
| parse "Account Name:\t\t\t*" as TargetUserName nodrop
| parse "Account Name:\t\t*" as SubjectUserName nodrop
| parse "Client Address:\t\t::ffff:*" as SourceIP nodrop
| parse "Privilege List:\t\t*" as PrivilegeList nodrop
| parse "CommandLine: *" as CommandLine nodrop
| where
/* Branch 1: Kerberos RC4 TGS Anomaly */
(
EventID == "4769"
AND TicketEncryptionType == "0x17"
AND toLower(ServiceName) == "krbtgt"
AND !matches(TargetUserName, ".*[$]")
AND TargetUserName != "ANONYMOUS LOGON"
)
OR
/* Branch 2: Kerberos exploitation tool signatures via Sysmon EventID 1 */
(
EventID == "1"
AND (
matches(CommandLine, "(?i).*(kerberos::(golden|silver|ptc|ptt|purge|list)).*")
OR matches(CommandLine, "(?i).*(ms14[-_]068).*")
OR matches(CommandLine, "(?i).*(lsadump::(dcsync|lsa)).*")
OR matches(CommandLine, "(?i).*(Invoke-Kerberoast|Request-SPNTicket).*")
OR matches(CommandLine, "(?i).*(goldenPac[.]py|ticketer[.]py|PyKEK).*")
OR matches(CommandLine, "(?i).*(sekurlsa::kerberos).*")
)
)
OR
/* Branch 3: High-privilege special logon */
(
EventID == "4672"
AND matches(PrivilegeList, ".*(SeDebugPrivilege|SeTcbPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege).*")
AND !matches(SubjectUserName, ".*[$]")
AND !(SubjectUserName in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE"))
)
| eval DetectionBranch = if(EventID == "4769", "Kerberos_RC4_TGS_Anomaly",
if(EventID == "1", "Exploit_Tool_Kerberos",
if(EventID == "4672", "High_Privilege_Assignment", "Unknown")))
| eval SuspicionScore = if(DetectionBranch == "Exploit_Tool_Kerberos", 5,
if(DetectionBranch == "Kerberos_RC4_TGS_Anomaly", 4, 2))
| fields _messageTime, _sourceHost, TargetUserName, SubjectUserName, ServiceName, TicketEncryptionType, SourceIP, CommandLine, PrivilegeList, DetectionBranch, SuspicionScore
| sort by _messageTime descSumo Logic detection for T1212 Exploitation for Credential Access. Uses parse operators to extract Windows Security Event Log and Sysmon fields from raw message text, then applies three detection branches: (1) EventID 4769 with RC4-HMAC (0x17) ticket encryption targeting the krbtgt service — the primary indicator of MS14-068 PAC forgery or golden ticket forging in AES-capable environments; (2) Sysmon EventID 1 process command lines matching Mimikatz kerberos:: and lsadump:: modules, impacket goldenPac/ticketer scripts, PyKEK, and PowerSploit Kerberoasting cmdlets; (3) EventID 4672 special privilege assignments of elevated tokens to non-system user accounts. SuspicionScore (5=tool signatures, 4=RC4 anomaly, 2=privilege assignment) enables downstream alert prioritization in Cloud SIEM or Sumo Logic alert policies. Adjust _sourceCategory values to match your collector naming convention.
Data Sources
Required Tables
False Positives & Tuning
- Third-party identity federation products, network appliances (e.g., F5 APM, Citrix StoreFront), or UNIX hosts with Kerberos keytabs configured for RC4 that request krbtgt service tickets using RC4-HMAC; validate Branch 1 alerts by checking _sourceHost and SourceIP against a known-legacy-device lookup table maintained in a Sumo Logic lookup file
- Security audit tooling — BloodHound ingestors, PingCastle, or internal Kerberoasting scripts run by the identity security team — that execute PowerShell with Invoke-Kerberoast or Request-SPNTicket on a scheduled basis; coordinate with the identity team to document scan schedules and use Sumo Logic scheduled suppression via alert muting during those windows
- Enterprise backup agents (Veeam, Commvault, NetBackup) running under service accounts with SeAssignPrimaryTokenPrivilege or SeDebugPrivilege for volume shadow copy integration; use a Sumo Logic lookup file mapping service account names to approved hosts and join it to Branch 3 results to auto-enrich and filter before alerting
Other platforms for T1212
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MS14-068 Kerberos PAC Forgery Simulation (PyKEK)
Expected signal: Security Event 4768 (TGT Request) from the affected user with anomalous PAC checksum values. Security Event 4769 (TGS Request) with TicketEncryptionType=0x17 (RC4) for krbtgt service. Sysmon Event 1: Process Create for python.exe with ms14-068.py in command line, followed by mimikatz.exe with kerberos::ptc. Network capture: oversized KRB_AS_REP packet containing the forged PAC structure.
- Test 2Golden Ticket Creation with Mimikatz (Requires krbtgt Hash)
Expected signal: Sysmon Event 1: mimikatz.exe process create with 'kerberos::golden' and '/ptt' in command line. Security Event 4672 on the DC showing SeDebugPrivilege and SeTcbPrivilege for the injected Administrator ticket. Security Event 4624 (LogonType 3) on DC from localhost after 'dir \\dc\c$' succeeds. Security Event 4769 with EncType=0x17 for CIFS/HOST services on DC from non-DC workstation.
- Test 3Kerberos Replay Attack via Packet Capture and Ticket Injection
Expected signal: Sysmon Event 1: tshark.exe capturing on network interface. Sysmon Event 1: mimikatz.exe with 'kerberos::ptc' injecting the stolen ticket. Sysmon Event 3: Network connections to KDC port 88 after ticket injection. Security Event 4769 with source IP matching the attacker's machine but user context matching the captured ticket's original owner.
- Test 4Cloud Authentication Token Replay (Azure AD - Storm-0558 Pattern)
Expected signal: Azure AD Sign-In Logs: Successful authentication with the replayed token from an unexpected IP address, with UserAgent matching the attacker's tool (PowerShell/7.x or curl). Microsoft Purview Unified Audit Log: MailItemsAccessed operation for the target mailbox. Potential Microsoft Defender for Cloud Apps alert: 'Activity from anonymous IP address' or 'Impossible travel' if the replay IP differs significantly from the legitimate user's location.
References (12)
- https://attack.mitre.org/techniques/T1212/
- https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
- https://adsecurity.org/?p=1515
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
- https://www.bugcrowd.com/glossary/replay-attack/
- https://www.comparitech.com/blog/information-security/what-is-a-replay-attack/
- https://cloud.google.com/blog/topics/threat-intelligence/unc3886-targets-vmware-for-espionage
- https://github.com/bidord/pykek
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
- https://adsecurity.org/?p=1729
Unlock Pro Content
Get the full detection package for T1212 including response playbook, investigation guide, and atomic red team tests.