Suspicious Kerberos Authentication Ticket Request

  1[metadata]
  2creation_date = "2025/10/28"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a
 11Kerberos authentication ticket request from the target domain controller.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.network-*",
 16    "logs-windows.sysmon_operational-*",
 17    "logs-system.security*",
 18    "logs-windows.forwarded*",
 19    "winlogbeat-*"
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Suspicious Kerberos Authentication Ticket Request"
 24references = [
 25"https://github.com/its-a-feature/bifrost", 
 26"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4768",
 27"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769"
 28]
 29risk_score = 73
 30rule_id = "c6b40f4c-c6a9-434e-adb8-989b0d06d005"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "Domain: Identity",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Lateral Movement",
 38    "Use Case: Active Directory Monitoring",
 39    "Data Source: Active Directory",
 40    "Data Source: Elastic Defend",
 41    "Data Source: Sysmon",
 42    "Data Source: Windows Security Event Logs",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49sequence by source.port, source.ip with maxspan=3s
 50 [network where host.os.type == "windows" and destination.port == 88 and
 51  process.executable != null and process.pid != 4 and 
 52  not process.executable : (
 53        "?:\\Windows\\system32\\lsass.exe",
 54        "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe",
 55        "\\device\\harddiskvolume*\\windows\\system32\\svchost.exe"
 56  ) and
 57  not (
 58    process.executable : (
 59      "C:\\Windows\\System32\\svchost.exe",
 60      "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
 61      "C:\\Program Files\\Omnissa\\Horizon\\Server\\bin\\ws_TomcatService.exe",
 62      "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe"
 63    ) and
 64    user.id in ("S-1-5-20", "S-1-5-18")
 65  ) and   
 66  source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
 67 [authentication where host.os.type == "windows" and event.code in ("4768", "4769")]
 68'''
 69
 70note = """## Triage and analysis
 71
 72### Investigating Suspicious Kerberos Authentication Ticket Request
 73
 74#### Possible investigation steps
 75
 76- Which Timeline member events define this Kerberos sequence?
 77  - Focus: Timeline members keyed by alert `source.ip` and `source.port`; recover source `process.executable`, Kerberos `destination.ip`, and auth `event.code`.
 78  - Hint: record `host.id` and `process.entity_id`; verify auth `winlog.computer_name` is the DC.
 79  - Implication: escalate when one non-"lsass.exe" source process maps to a DC "4768" or "4769" event in the sequence window; lower concern for socket reuse, a different process, or non-DC destination.
 80
 81- Is the recovered source process a recognized Kerberos-capable client?
 82  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 83  - Hint: open process start with recovered `host.id` and `process.entity_id`; if absent, use `host.id`, `process.pid`, and sequence window.
 84  - Implication: escalate when the binary is unsigned, renamed, user-writable, signer-mismatched, or outside known AD audit, Kerberos diagnostic, or security-test tooling; lower concern only when path, signer, hash history, command, and parent converge on one known tool.
 85
 86- Does command-line and parentage show ticket-tool intent?
 87  - Focus: recovered `process.command_line`, `process.parent.executable`, `process.parent.command_line`, and broader process lineage when needed.
 88  - Implication: escalate on Bifrost-like verbs or flags such as asktgt, asktgs, s4u, ptt, kerberoast, service/SPN targets, hashes, keytabs, RC4, or base64 tickets, especially from shell or script parents; bounded diagnostics from a recognized admin tool reduce but do not clear concern.
 89
 90- Which ticket path and target account did the DC member event show?
 91  - Focus: recovered auth `event.code`, `winlog.event_data.TargetUserName`, and `winlog.event_data.TargetDomainName`.
 92  - Implication: escalate when "4769" shows service-ticket activity or "4768" shows TGT handling for privileged, service, machine, or delegation-sensitive targets from the unusual process; fan-out increases concern.
 93
 94- Does the source user and session context fit one bounded admin or audit source?
 95  - Focus: recovered `user.id`, `user.name`, `user.domain`, and `winlog.event_data.TargetUserName`.
 96  - Implication: escalate when privileged, service, or user-account tickets originate from a workstation, user session, or non-management tool; lower concern only when source host, user, process identity, command/parent, and target account recur as one bounded Kerberos diagnostic or audit pattern.
 97
 98- Do surrounding Kerberos events show repetition or account fan-out?
 99  - Focus: same-source Kerberos network and authentication events, checking additional "4768"/"4769" events and `winlog.event_data.TargetUserName`.
100    - $investigate_0
101    - $investigate_1
102  - Implication: escalate when requests repeat or fan out across accounts; a single bounded request narrows scope but does not close if process identity or command intent remains suspicious. Missing network or authentication telemetry is unresolved, not benign.
103
104- Do later logon or explicit-credential events suggest ticket use?
105  - Focus: same-source authentication results, checking later `event.code` "4624"/"4648", `winlog.event_data.TargetUserName`, and 4648 `winlog.event_data.TargetServerName`.
106  - Implication: escalate when post-ticket logon or explicit-credential activity reaches sensitive accounts or servers from the same source; absence narrows impact but does not close if the ticket request remains suspicious. Missing same-source authentication telemetry leaves ticket use unresolved, not benign.
107
108- If local evidence remains suspicious or unresolved, does the same source show related alerts?
109  - Focus: related alerts for `source.ip`; manually pivot on recovered `process.hash.sha256` or `winlog.event_data.TargetUserName` when locally suspicious. $investigate_2
110  - Implication: broaden scope when credential-access, Kerberoasting, relay, or lateral-movement alerts share the source, process, or target account; keep local only when related alerts are absent and recovered evidence resolves cleanly.
111
112- Escalate when sequence recovery, source-process identity, command intent, DC ticket target, account context, or surrounding ticket/logon activity show unauthorized direct Kerberos; close only when telemetry binds one recognized tool, source host, user, and target account and outside confirmation verifies exact activity when telemetry cannot; preserve and escalate when visibility is incomplete or evidence conflicts.
113
114### False positive analysis
115
116- AD audit tools, Kerberos diagnostics, interoperability testing, or security testing can request tickets directly instead of through "lsass.exe". Confirm only when process path, signer/hash, parent, command line, `source.ip`, `user.id`, `event.code`, and target account align with the same recognized tool on a dedicated admin, lab, or audit source; without outside records, require the same process identity, source host/user, target account, and bounded ticket pattern across prior alerts from this rule.
117- Treat partial matches as unresolved when process identity fits but the command targets unusual SPNs, privileged accounts, RC4/kerberoast behavior, or follow-on "4624"/"4648" activity. Do not close on signer, source IP, or event code alone when ticket target or command intent contradicts benign workflow.
118- Before creating an exception, anchor it to the minimum stable workflow: dedicated `source.ip` or source host, process signer/hash/path, parent workflow, `user.id`, target account, and bounded `event.code` pattern. Avoid exceptions on `source.port`, `event.code`, process name, or broad account patterns alone.
119
120### Response and remediation
121
122- If confirmed benign, reverse temporary containment and document the recovered source host/IP, process identity, command line, source user, DC ticket event, and target account that proved the recognized workflow. Create an exception only after the same dedicated source and process pattern recurs consistently.
123- If suspicious but unconfirmed, preserve the alert, Timeline member events, suspicious process binary and command line, source socket, DC authentication record, and any follow-on "4624" or "4648" evidence before containment or process action.
124- Apply reversible containment next: restrict the recovered source host's Kerberos/DC access or isolate the host when its role tolerates isolation, and suspend the recovered process only after process and authentication artifacts are captured.
125- If confirmed malicious, isolate the recovered source host, terminate or suspend the recovered process after recording its `process.entity_id`, expire exposed Kerberos tickets where operationally appropriate, and reset or rotate impacted credentials, prioritizing privileged, service, machine, and delegation-capable accounts.
126- Before cleanup, search for the same source IP, recovered process hash, target account, and related credential-access, Kerberoasting, relay, or lateral-movement activity so scope is not limited to the first sequence.
127- After containment, retain DC "4768"/"4769" auditing and endpoint network telemetry, restrict direct Kerberos tooling to controlled admin/testing hosts, and document the recovered tool pattern and any logging gaps in the case record.
128"""
129
130setup = """## Setup
131
132This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
133
134Setup instructions: https://ela.st/install-elastic-defend
135
136### Additional data sources
137
138This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
139
140- [Sysmon Event ID 3 - Network Connection](https://ela.st/sysmon-event-3-setup)
141- [Audit Kerberos Authentication Service](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-authentication-service)
142- [Audit Kerberos Service Ticket Operations](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-kerberos-service-ticket-operations)
143"""
144
145[rule.investigation_fields]
146field_names = [
147    "@timestamp",
148    "source.ip",
149    "source.port",
150    "host.id",
151]
152
153[transform]
154
155[[transform.investigate]]
156label = "Kerberos network events from the same source IP"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
161    { excluded = false, field = "source.ip", queryType = "phrase", value = "{{source.ip}}", valueType = "string" },
162    { excluded = false, field = "destination.port", queryType = "phrase", value = "88", valueType = "string" }
163  ]
164]
165relativeFrom = "now-1h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "Authentication events for the same source IP"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "event.category", queryType = "phrase", value = "authentication", valueType = "string" },
174    { excluded = false, field = "source.ip", queryType = "phrase", value = "{{source.ip}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-1h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "Alerts associated with the same source IP"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
186    { excluded = false, field = "source.ip", queryType = "phrase", value = "{{source.ip}}", valueType = "string" }
187  ]
188]
189relativeFrom = "now-48h/h"
190relativeTo = "now"
191
192[[rule.threat]]
193framework = "MITRE ATT&CK"
194
195[[rule.threat.technique]]
196id = "T1550"
197name = "Use Alternate Authentication Material"
198reference = "https://attack.mitre.org/techniques/T1550/"
199
200[[rule.threat.technique.subtechnique]]
201id = "T1550.003"
202name = "Pass the Ticket"
203reference = "https://attack.mitre.org/techniques/T1550/003/"
204
205[rule.threat.tactic]
206id = "TA0008"
207name = "Lateral Movement"
208reference = "https://attack.mitre.org/tactics/TA0008/"
209
210[[rule.threat]]
211framework = "MITRE ATT&CK"
212
213[[rule.threat.technique]]
214id = "T1558"
215name = "Steal or Forge Kerberos Tickets"
216reference = "https://attack.mitre.org/techniques/T1558/"
217
218[[rule.threat.technique.subtechnique]]
219id = "T1558.003"
220name = "Kerberoasting"
221reference = "https://attack.mitre.org/techniques/T1558/003/"
222
223[[rule.threat.technique.subtechnique]]
224id = "T1558.004"
225name = "AS-REP Roasting"
226reference = "https://attack.mitre.org/techniques/T1558/004/"
227
228[rule.threat.tactic]
229id = "TA0006"
230name = "Credential Access"
231reference = "https://attack.mitre.org/tactics/TA0006/"