KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 26 AD Krb Relay Up Local Escalation

Query

// =========================================================
// RULE-26 | AD-KrbRelayUp-LocalEscalation
// Description : KrbRelayUp local privilege escalation
//               detection — machine account creation (5137)
//               on a specific workstation by a low-privilege
//               user, followed within 10 minutes by LDAP
//               attribute modification (4742 or 5136) on
//               that SAME workstation's computer object.
//               KrbRelayUp coerces the local SYSTEM to
//               authenticate via Kerberos, relays to LDAP,
//               and sets RBCD or shadow credentials on the
//               local computer object — enabling S4U2Self
//               impersonation of Domain Admins locally.
// Severity    : High → Critical (on DC or Tier-0 host)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1548 — Abuse Elevation Control Mechanism
//               T1134 — Access Token Manipulation
// Tables      : SecurityEvent
// =========================================================

let LookBack       = 15m;
let SequenceWindow = 10m;      // Both steps within 10 min on same host

// Step 1: Machine account creation by a low-priv user
let MachineCreation = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 5137
    | where ObjectClass =~ "computer"
    | where not(SubjectUserName has_any ("admin", "Admin", "SYSTEM", "$"))
    | extend
        Creator      = strcat(SubjectDomainName, "\\", SubjectUserName),
        NewMachine   = ObjectDN,
        CreateTime   = TimeGenerated,
        CreationHost = Computer;

// Step 2: AD attribute modification on the workstation itself
// (RBCD or shadow credentials set)
let LocalAttrMod = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID in (4742, 5136)
    | where AttributeLDAPDisplayName in~ (
        "msDS-AllowedToActOnBehalfOfOtherIdentity",
        "msDS-KeyCredentialLink"
      )
    | project
        ModTime       = TimeGenerated,
        ModActor      = strcat(SubjectDomainName, "\\", SubjectUserName),
        ModHost       = Computer,
        ModAttr       = AttributeLDAPDisplayName;

// Correlate by same originating host within window
MachineCreation
| join kind=inner (LocalAttrMod) on $left.CreationHost == $right.ModHost
| where ModTime between (CreateTime .. CreateTime + SequenceWindow)
| extend
    Sequence_sec  = datetime_diff("second", ModTime, CreateTime),
    IsOnDC        = CreationHost has_any ("DC", "ADDC"),
    Severity = case(
        CreationHost has_any ("DC", "ADDC"), "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        "KrbRelayUp_Local_Escalation_Pattern; ",
        "Step1_MachineAccount_Created: ", NewMachine, "; ",
        "Step2_AD_Attr_Modified: ", ModAttr, " in ", tostring(Sequence_sec), "s; ",
        "Creator: ", Creator, "; ",
        "Host: ", CreationHost
    )
| project
    TimeGenerated    = CreateTime,
    Severity,
    WhySuspicious,
    Creator,
    NewMachine,
    ModAttr,
    ModActor,
    Sequence_sec,
    CreationHost
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of security threat known as "KrbRelayUp local privilege escalation." Here's a simple breakdown of what the query does:

  1. Purpose: It aims to identify suspicious activities that could indicate a privilege escalation attack on a network, specifically involving the creation of a machine account by a low-privilege user followed by modifications to Active Directory (AD) attributes on the same machine.

  2. Detection Steps:

    • Step 1: The query looks for events where a new machine account (computer object) is created by a user who does not have administrative privileges. This is identified by checking for Event ID 5137 in the security logs.
    • Step 2: It then checks for any modifications to certain AD attributes (related to delegation and shadow credentials) on the same machine within 10 minutes of the account creation. These modifications are identified by Event IDs 4742 or 5136.

  3. Correlation: The query correlates these two steps by ensuring they occur on the same host within a 10-minute window.

  4. Severity Assessment: The severity of the detected activity is classified as "Critical" if it occurs on a Domain Controller (DC) or a Tier-0 host, otherwise, it is marked as "High."

  5. Output: The query outputs details such as the time of the event, severity, reasons for suspicion, the user who created the machine account, the new machine account name, the modified attribute, the actor who made the modification, the time difference between the two steps, and the host where the activity occurred.

  6. Frequency: This detection runs every 15 minutes, looking back over the previous 15 minutes of security events.

Overall, this query is part of a security monitoring strategy to detect and respond to potential privilege escalation attacks in a timely manner.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

letagowhere===~nothas_anyextendstrcatinprojectjoinonbetweendatetime_diffcasetostringorder bydesc

Actions