Service Creation via Local Kerberos Authentication Leading to Privilege Escalation

This detection rule identifies a potential Kerberos relay attack variant on Windows systems, where an attacker attempts to elevate privileges locally. The attack involves relaying Kerberos authentication from a domain-joined user to LocalSystem privileges. The rule focuses on identifying a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost (127.0.0.0/8 or ::1), followed by service creation from the same LogonId. The KrbRelayUp tool is a known tool used for such attacks. This is significant because successful Kerberos relay attacks can grant attackers persistent and elevated access to the compromised system.

Attack Chain

1. The attacker gains initial access to a domain-joined user’s account through an unspecified method.
2. The attacker initiates a Kerberos authentication request, relaying it to the local machine.
3. A successful logon event (Event ID 4624) is generated with the following characteristics: Logon Package is Kerberos, the source IP is a loopback address (127.0.0.0/8 or ::1), ElevatedToken is present, and Logon Type is Network.
4. The attacker uses the relayed Kerberos ticket to authenticate locally as the targeted user.
5. The attacker creates a new service on the system (Event ID 4697).
6. The service is configured to run with LocalSystem privileges.
7. The attacker starts the newly created service.
8. The attacker executes malicious code with LocalSystem privileges, achieving privilege escalation.

Impact

A successful Kerberos relay attack can lead to complete compromise of the local system. An attacker can gain full control over the system, potentially leading to data theft, installation of malware, or lateral movement to other systems within the network. The rule aims to detect this attack before the attacker can achieve their objectives, preventing significant damage to the organization.

Recommendation

• Enable Windows audit policies for “Audit Logon” and “Audit Security System Extension” to ensure necessary events are logged.
• Deploy the Sigma rule “Service Creation via Local Kerberos Authentication” to your SIEM to detect suspicious local Kerberos authentications followed by service creation, and tune for your environment.
• Investigate any alerts generated by the Sigma rule by examining the associated Windows Security events (4624, 4697) for the same LogonId, focusing on the service name, file name, and account.
• Implement LDAP signing and channel binding to prevent Kerberos relay attacks.
• Monitor for related alerts that show the same relay-to-service chain elsewhere.