KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 18 AD Printer Bug Coercion Auth

Query

// =========================================================
// RULE-18 | AD-PrinterBug-Coercion-Auth
// Description : Print Spooler coercion (PrinterBug /
//               SpoolSample) detection — Event 4624 (Logon
//               Type 3 Kerberos) from a Domain Controller
//               machine account authenticating to a
//               non-DC workstation or member server.
//               DCs should never proactively authenticate
//               to workstations.  When an attacker calls
//               RpcRemoteFindFirstPrinterChangeNotification
//               the DC's Spooler service authenticates to
//               the attacker's machine — captured as a
//               Type 3 Kerberos logon FROM the DC TO the
//               target.
//               Correlates with Event 4769 TGS requests
//               from the coerced DC machine account for
//               krbtgt — indicating TGT extraction attempt.
// Severity    : High (coercion logon) → Critical (TGT
//               request from same DC in 5 min = Rubeus dump)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1187 — Forced Authentication
// Tables      : SecurityEvent
// =========================================================

let LookBack  = 15m;
let TGTWindow = 5m;

// Known DCs
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DC = toupper(Computer);

// Step 1: DC machine account authenticates to a NON-DC
let CoercionLogons = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4624
    | where LogonType == 3
    | where AuthenticationPackageName =~ "Kerberos"
    | where SubjectUserName endswith "$"             // Machine account logon
    | where toupper(SubjectUserName) in~ (           // Logged-on account IS a known DC
        KnownDCNames | extend v = strcat(DC, "$") | project v
      )
    | where not(toupper(Computer) in~ (KnownDCNames)) // But target host is NOT a DC
    | extend
        CoercedDC      = SubjectUserName,
        CoercionTarget = Computer,
        CoercionTime   = TimeGenerated;

// Step 2: krbtgt TGS request from the coerced DC machine account
//         (Rubeus monitor + dump sequence)
let TGTDumpSignal = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4769
    | where ServiceName =~ "krbtgt"
    | where TargetUserName endswith "$"
    | where toupper(TargetUserName) in~ (
        KnownDCNames | extend v = strcat(DC, "$") | project v
      )
    | project TGTTime = TimeGenerated,
              TGTAccount = TargetUserName,
              TGTHost    = Computer;

// Correlate
CoercionLogons
| join kind=leftouter (TGTDumpSignal)
    on $left.CoercedDC == $right.TGTAccount
| where isempty(TGTTime) or TGTTime between (CoercionTime .. CoercionTime + TGTWindow)
| extend
    HasTGTDump  = isnotempty(TGTTime),
    Severity    = iff(isnotempty(TGTTime), "Critical", "High"),
    WhySuspicious = strcat(
        "PrinterBug_Coercion_DC_Auth_To_NonDC; ",
        "CoercedDC: ", CoercedDC, "; ",
        "CoercionTarget: ", CoercionTarget, "; ",
        iff(HasTGTDump, "TGT_Dump_Attempt_Detected; ", "No_TGT_Dump_Yet; ")
    )
| project
    TimeGenerated    = CoercionTime,
    Severity,
    WhySuspicious,
    CoercedDC,
    CoercionTarget,
    HasTGTDump,
    TGTTime
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of security threat known as the "PrinterBug" or "SpoolSample" attack. Here's a simplified explanation of what the query does:

  1. Purpose: The query aims to identify suspicious authentication activities involving domain controllers (DCs) in a network. Specifically, it looks for instances where a DC's machine account logs into a non-DC machine, which is unusual and potentially indicative of an attack.

  2. Step 1 - Detecting Coercion Logons:

    • The query first identifies known DCs by checking for specific events (Event ID 4768) in the last three days.
    • It then looks for logon events (Event ID 4624) in the last 15 minutes where a DC machine account (indicated by a username ending with "$") logs into a non-DC machine using Kerberos authentication. This is considered suspicious because DCs should not normally authenticate to non-DC machines.

  3. Step 2 - Detecting TGT Requests:

    • The query checks for Ticket Granting Ticket (TGT) requests (Event ID 4769) from the coerced DC machine account within the same 15-minute window. This could indicate an attempt to extract a TGT, which is a critical security concern.

  4. Correlation and Severity:

    • The query correlates the coercion logons with TGT requests. If a TGT request is detected within 5 minutes of the coercion logon, it raises the severity to "Critical" as it suggests a potential attack using tools like Rubeus to dump credentials.
    • If no TGT request is detected, the severity remains "High."

  5. Output:

    • The query outputs details such as the time of the suspicious activity, the severity level, the DC involved, the target machine, and whether a TGT dump attempt was detected.

Overall, this query helps security teams monitor and respond to potential forced authentication attacks in their network, which could lead to unauthorized access or data breaches.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

letagotouppersummarizebywhereendswithin~extendstrcatprojectjoinkindonisemptybetweenisnotemptyifforder by

Actions