Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account

This detection identifies potential Kerberos relay attacks targeting Windows systems. The attack involves coercing a target server to authenticate to an attacker-controlled system, which then relays the authentication to another service. The initial coercion leverages commonly abused named pipes like Spoolss, netdfs, and lsarpc. By capturing and relaying the Kerberos authentication, attackers can impersonate the target server and potentially execute code with elevated privileges. This activity is often associated with lateral movement and privilege escalation within a Windows domain. The detection focuses on the sequence of events, specifically a file access event (5145) against a named pipe, followed by a Kerberos authentication event (4624/4625) originating from a different IP address. Defenders should be aware that successful exploitation may lead to full domain compromise.

Attack Chain

1. Attacker compromises a machine within the target network.
2. Attacker initiates a coerced authentication attempt against a target server, triggering a file access event (Event ID 5145) on the target. This leverages a named pipe such as Spoolss, netdfs, lsarpc, lsass, netlogon, samr, efsrpc, FssagentRpc, eventlog, winreg, srvsvc, dnsserver, dhcpserver or WinsPipe.
3. The target server attempts to authenticate to the attacker-controlled machine.
4. The attacker relays the Kerberos authentication attempt to a service on another server, impersonating the target server.
5. A Kerberos authentication event (Event ID 4624 or 4625) is generated, indicating a network logon attempt using Kerberos. The account used ends with ‘$’, signifying a computer account.
6. The source IP address of the authentication event is different from the target server’s IP address, indicating the authentication attempt originated from a different host.
7. If successful (Event ID 4624), the attacker gains unauthorized access to the service on the second server, impersonating the target server’s computer account.
8. The attacker executes commands or performs actions on the compromised service, potentially leading to data exfiltration, system compromise, or further lateral movement.

Impact

A successful Kerberos relay attack can lead to a full compromise of the targeted server, potentially allowing the attacker to execute arbitrary code with SYSTEM privileges. This can result in data exfiltration, service disruption, and further lateral movement within the network. The scope of the impact depends on the privileges of the compromised computer account and the services accessible to it. Organizations that do not properly patch CVE-2025-33073 or implement SMB signing/sealing/channel binding are at higher risk.

Recommendation

• Deploy the Sigma rule “Potential Kerberos Relay Attack against a Computer Account” to your SIEM to detect this activity and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the sequence of events and the source IP address involved.
• Patch CVE-2025-33073 on all affected Windows servers to prevent reflective Kerberos relay attacks.
• Enable SMB signing or service-specific signing/sealing/channel binding on affected service tiers to mitigate relay attacks.
• Monitor Windows Security Event Logs for Event ID 5145 (file access) and Event IDs 4624/4625 (authentication attempts) for suspicious activity.
• Restrict coercion-prone RPC and named-pipe exposure to limit the attack surface.