Name:Unusual Number of Kerberos Service Tickets Requested id:eb3e6702-8936-11ec-98fe-acde48001122 version:5 date:2024-10-17 author:Mauricio Velazco, Dean Luxton, Splunk status:production type:Anomaly Description:The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment. Data_source:
-Windows Event Log Security 4769
search:`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. known_false_positives:An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. References: -https://attack.mitre.org/techniques/T1558/003/ -https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting drilldown_searches: name:'View the detection results for - "$src$"' search:'%original_detection_search% | search src = "$src$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Kerberos Attacks' asset_type:Endpoint confidence:80 impact:80 message:User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack mitre_attack_id: - 'T1558' - 'T1558.003' observable: name:'src' type:'Endpoint' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Ticket_Options' - 'Ticket_Encryption_Type' - 'user' - 'src' - 'Service_Name' - 'service_id' - 'Client_Address' risk_score:64 security_domain:endpoint
