Kerberoasting Activity - Initial Query

calendar Sep 2, 2024 · attack.credential-access attack.t1558.003  ·
Share on: linkedin copy

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Sigma rule (View on GitHub)

 1title: Kerberoasting Activity - Initial Query
 2id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
 3status: test
 4description: |
 5    This rule will collect the data needed to start looking into possible kerberoasting activity.
 6    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
 7    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.    
 8references:
 9    - https://www.trustedsec.com/blog/art_of_kerberoast/
10    - https://adsecurity.org/?p=3513
11author: '@kostastsale'
12date: 2022-01-21
13tags:
14    - attack.credential-access
15    - attack.t1558.003
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID: 4769
22        Status: '0x0' # Translated as status from failure code field. Query only for successes
23        TicketEncryptionType: '0x17' # RC4 ticket encryption type
24    filter_main_:
25        ServiceName|endswith:
26            - 'krbtgt' # Ignore requests for the krbtgt service
27            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
28        TargetUserName|contains: '$@' # Ignore requests from machines
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - Legacy applications.
32level: medium

References

Related rules

to-top