Detecting Windows Kerberos implementation elevation of privilege vulnerability attacks with Sentinel

Detecting Windows Kerberos implementation elevation of privilege vulnerability attacks with Sentinel

CVE-2014-6324 allows remote elevation of privilege in domains running Windows domain controllers. An attacker with the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

After installing the update MS14-068, for Windows 2008R2 and above, the 4769 "Kerberos Service Ticket Operation" event log can be used to detect attackers attempting to exploit this vulnerability. This is a high volume event, so it is advisable to only log failures (this will significantly reduce the number of events generated).

To detect these events with Sentinel in real time, use the following correlation rule:
filter(e.ObserverServiceName = "Microsoft-Windows-Security-Auditing" AND e.VendorEventCode = "4769" AND e.XDASOutcome = 1 AND e.ExtendedInformation match regex (".*Failure Code...0xf\x22.*"))

So search for past events, that indicate attempts to exploit this vulnerability, use the following search query:
obssvcname:"Microsoft-Windows-Security-Auditing" AND rv40:4769 AND xdasoutcome:1 AND ei:"0xf"

 

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Thanks for sharing!
Excellent article. Can you explain your rule and query in a little more detail?
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2014-11-21 20:44
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.