Kerberoasting Activity - Initial query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Sigma rule (View on GitHub)
1title: Kerberoasting Activity - Initial query
2id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
3status: experimental
4description: This rule will collect the data needed to start looking into possible kerberoasting activity.
5 Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards
6 multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests
7 and time between the requests to turn this into an alert.
8date: 2022/01/21
9author: \@kostastsale
10references:
11 - https://www.trustedsec.com/blog/art_of_kerberoast/
12 - https://adsecurity.org/?p=3513
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID:
19 4769
20 Status:
21 '0x0' # Translated as status from failure code field. Query only for successes
22 TicketEncryptionType:
23 '0x17' # RC4 ticket encryption type
24 filter:
25 ServiceName|endswith:
26 - 'krbtgt' # Ignore requests for the krbtgt service
27 - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
28 TargetUserName|contains:
29 - '$@' # Ignore requests from machines
30 condition: selection and not filter
31falsepositives:
32 - Legacy applications
33level: medium
34tags:
35 - attack.credential_access
36 - attack.t1558.003```
References
-
As a former defender, there is a sense of “happiness” when I can put defenses in place that allow you to detect attacks and potential indicators of compromise (IoC). It's like those old spy toys yo...
Read More -
In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activ...
Read More
Related rules
- Kerberos .kirbi Ticket Files
- Possible Impacket GetUserSPNs Activity
- LAPS Credential Dumping Spoofing and Domain Controller Impersonation
- Using Lazagne to dump credentials
- Mimikatz Module Names