This note documents detection patterns related to Kerberos Relay within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4769 | Kerberos service ticket request (TGS) | Critical | Primary signal when Kerberos tickets are requested for services such as LDAP, CIFS, or HOST unexpectedly. Review ServiceName, ClientAddress, TicketOptions, and TargetUserName. |
| Security | 4768 | Kerberos TGT request | High | May appear when attacker authenticates before performing relay activity. Useful for establishing session origin. |
| Security | 4624 | Successful logon | High | Look for LogonType 3 (network) originating from unusual hosts immediately after Kerberos ticket issuance. |
| Security | 4672 | Special privileges assigned | High | Privileged sessions following Kerberos authentication may indicate successful relay leading to privilege escalation. |
| Security | 4688 | Process creation | Medium | May reveal execution of tools such as krbrelayx or Rubeus. |
| Sysmon | 1 | Process creation | Critical | Execution of Kerberos relay tooling (krbrelayx, Rubeus, Impacket utilities). |
| Sysmon | 3 | Network connection | High | Suspicious LDAP/SMB connections following Kerberos ticket acquisition. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Authentication coercion preceding Kerberos ticket | PrinterBug, PetitPotam, DFSCoerce, or other coercion attacks | Critical | These attacks force a host to authenticate to attacker-controlled system which enables relay. |
| Kerberos authentication to unexpected services | Service tickets requested for LDAP or CIFS on domain controllers unexpectedly | High | Often indicates ticket relay attempt. |
| Unusual host performing service ticket requests | Workstation requesting tickets for services normally accessed by servers | High | Suggests attacker-controlled relay host. |
| Service ticket reuse across systems | Same Kerberos ticket used across multiple hosts shortly after issuance | High | May indicate relay or ticket forwarding abuse. |
| Privileged changes following authentication | ACL modifications, new machine accounts, or delegation changes | Critical | Indicates attacker leveraged relayed Kerberos authentication. |
Common Tools
| Tool | Usage |
|---|---|
| krbrelayx | Relays Kerberos authentication to LDAP or SMB services. |
| Impacket | Contains Kerberos relay capabilities and supporting tooling. |
| Rubeus | Used to manipulate Kerberos tickets during relay attacks. |
| PrinterBug | Coerces authentication to attacker-controlled host. |
| PetitPotam | Triggers NTLM/Kerberos authentication from domain controllers. |
| Coercer | Framework for automating authentication coercion. |
Relevant Artifacts
- Domain controller Security logs (4768, 4769, 4624)
- Sysmon logs (1, 3)
- Kerberos operational logs
- LDAP service logs
- SMB authentication logs
- EDR telemetry detecting relay tooling
- Network telemetry showing Kerberos authentication flows
- Prefetch artifacts for Kerberos exploitation tools
MITRE ATT&CK References
- T1557 Adversary-in-the-Middle
- T1557.003 Kerberos Relay
- T1558 Steal or Forge Kerberos Tickets
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Identify Kerberos service ticket requests (4769) for unusual services.
- What host generated the event?
- Determine whether request originated from workstation rather than expected service host.
- Is the account expected to perform this action?
- Verify whether the account normally authenticates to the requested service.
- Pivot:
- Source host → inspect processes for krbrelayx or Kerberos manipulation tools.
- Account → review privilege escalation activity.
- Network → inspect authentication coercion preceding the ticket request.
- Confirm exploitation
- Determine whether attacker performed administrative actions following relay.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4769
| summarize count() by ServiceName, TargetUserName, ClientAddress, bin(TimeGenerated, 5m)
| order by count_ desc
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
EQL
any where event.code == "4769"
Sigma
title: Suspicious Kerberos Service Ticket Activity
id: kerberos-relay-detection
status: experimental
description: Detects abnormal Kerberos service ticket requests potentially associated with Kerberos relay attacks
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
condition: selection
fields:
- ServiceName
- TargetUserName
- ClientAddress
falsepositives:
- Legitimate service authentication patterns
level: medium
tags:
- attack.credential_access
- attack.t1557.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| LDAP signing | Require LDAP signing and channel binding | High | Prevents relay to LDAP services. |
| SMB signing | Enforce SMB signing | High | Prevents Kerberos relay to SMB services. |
| Delegation restrictions | Restrict delegation settings across domain | High | Limits abuse paths. |
| Network monitoring | Monitor Kerberos authentication patterns | Medium | Detects unusual ticket requests. |
| Service hardening | Restrict services that accept delegated authentication | Medium | Reduces potential relay targets. |