Suspicious Ticket Granting Ticket Request

name: Suspicious Ticket Granting Ticket Request
id: d77d349e-6269-11ec-9cfe-acde48001122
version: 9
date: '2026-02-25'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects suspicious Kerberos Ticket Granting Ticket (TGT) requests that may indicate exploitation of CVE-2021-42278 and CVE-2021-42287. It leverages Event ID 4781 (account name change) and Event ID 4768 (TGT request) to identify sequences where a newly renamed computer account requests a TGT. This behavior is significant as it could represent an attempt to escalate privileges by impersonating a Domain Controller. If confirmed malicious, this activity could allow attackers to gain elevated access and potentially control over the domain environment.
data_source:
    - Windows Event Log Security 4768
    - Windows Event Log Security 4781
search: |-
    `wineventlog_security` (EventCode=4781 OldTargetUserName="*$" NewTargetUserName!="*$") OR (EventCode=4768 TargetUserName!="*$")
      | eval RenamedComputerAccount = coalesce(NewTargetUserName, TargetUserName)
      | transaction RenamedComputerAccount startswith=(EventCode=4781) endswith=(EventCode=4768)
      | eval short_lived=case((duration<2),"TRUE")
      | search short_lived = TRUE
      | table _time, Computer, EventCode, TargetUserName, RenamedComputerAccount, short_lived
      | rename Computer as dest
      | `suspicious_ticket_granting_ticket_request_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: A computer account name change event inmediately followed by a kerberos TGT request with matching fields is unsual. However, legitimate behavior may trigger it. Filter as needed.
references:
    - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42278
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42287
tags:
    analytic_story:
        - sAMAccountName Spoofing and Domain Controller Impersonation
        - Active Directory Kerberos Attacks
        - Active Directory Privilege Escalation
    asset_type: Endpoint
    mitre_attack_id:
        - T1078.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog