Skip to content

Commit fa6d7a4

Browse files
munzzyynasbench
andauthored
Add PreAuthType filter to PetitPotam Kerberos TGT detection (#4146)
--------- Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com>
1 parent 1e6583f commit fa6d7a4

1 file changed

Lines changed: 20 additions & 11 deletions

File tree

detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,36 @@
11
name: PetitPotam Suspicious Kerberos TGT Request
22
id: e3ef244e-0a67-11ec-abf2-acde48001122
3-
version: 10
3+
version: 11
44
creation_date: '2021-09-01'
5-
modification_date: '2026-05-13'
5+
modification_date: '2026-07-04'
66
author: Michael Haag, Mauricio Velazco, Splunk
77
status: production
88
type: TTP
99
description: The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.
1010
data_source:
1111
- Windows Event Log Security 4768
1212
search: |-
13-
`wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!=""
14-
| stats count min(_time) as firstTime max(_time) as lastTime
15-
BY dest, TargetUserName, src,
16-
action
17-
| `security_content_ctime(firstTime)`
18-
| `security_content_ctime(lastTime)`
19-
| `petitpotam_suspicious_kerberos_tgt_request_filter`
20-
how_to_implement: The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.
21-
known_false_positives: False positives are possible if the environment is using certificates for authentication.
13+
`wineventlog_security`
14+
EventCode=4768
15+
src!="::1"
16+
TargetUserName=*$
17+
CertThumbprint!=""
18+
PreAuthType=2
19+
| stats count min(_time) as firstTime
20+
max(_time) as lastTime
21+
BY dest TargetUserName PreAuthType CertThumbprint src action
22+
| `security_content_ctime(firstTime)`
23+
| `security_content_ctime(lastTime)`
24+
| `petitpotam_suspicious_kerberos_tgt_request_filter`
25+
how_to_implement: |-
26+
The following analytic requires Event Code 4768. Ensure that it is logging no Domain Controllers and appearing in Splunk.
27+
known_false_positives: |-
28+
False positives are possible if the environment is using certificates for authentication, since PreAuthType 2 can appear on some initial or fallback authentication flows alongside a populated certificate field.
29+
Tune further based on observed authentication patterns in the environment.
2230
references:
2331
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2432
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
33+
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768#kerberos-preauthentication-types
2534
drilldown_searches:
2635
- name: View the detection results for - "$dest$"
2736
search: '%original_detection_search% | search dest = "$dest$"'

0 commit comments

Comments
 (0)