Kerberoasting Activity - Initial query

calendar Apr 25, 2022  ·
Share on: linkedin copy

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Sigma rule (View on GitHub)

 1title: Kerberoasting Activity - Initial query
 2description: This rule will collect the data needed to start looking into possible kerberoasting activity.
 3             Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards 
 4             multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests 
 5             and time between the requests to turn this into an alert.
 6date: 2022/01/21
 7author: \@kostastsale
 8references: 
 9 - https://www.trustedsec.com/blog/art_of_kerberoast/
10 - https://adsecurity.org/?p=3513
11logsource:
12    product: windows
13    service: security
14detection:
15    selection:
16        EventID: 
17          4769
18        Status:
19         '0x0' # Translated as status from failure code field. Query only for successes
20        TicketEncryptionType: 
21          '0x17' # RC4 ticket encryption type
22    filter:
23        ServiceName|endswith:
24         -  'krbtgt' # Ignore requests for the krbtgt service
25         -  '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
26        TargetUserName|contains:
27         -  '$@' # Ignore requests from machines
28    condition: selection and not filter
29falsepositives:
30    - Legacy applications 
31level: medium

References

to-top