Possible Kerberos relay attack

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

2 Days

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Privilege Escalation (TA0004)

ATT&CK Technique

Abuse Elevation Control Mechanism (T1548)

Severity

Low

Description

A suspicious local network login was observed, which might indicate on Kerberos relay attack. This attack can lead to privilege escalation by obtaining system privileges on the target.

Attacker's Goals

An attacker is attempting to elevate its privileges on the machine.

Investigative actions

  • Check for any other suspicious activity related to the host involved in the alert.
  • Look for a new machine that was added to the domain.