Name:Windows Large Number of Computer Service Tickets Requested id:386ad394-c9a7-4b4f-b66f-586252de20f0 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:Anomaly Description:The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network. Data_source:
-Windows Event Log Security 4769
search:`wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" | bucket span=5m _time | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName | where unique_targets > 30 | `windows_large_number_of_computer_service_tickets_requested_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. known_false_positives:An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems. References: -https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ -https://attack.mitre.org/techniques/T1135/ -https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769 drilldown_searches: name:'View the detection results for - "$IpAddress$"' search:'%original_detection_search% | search IpAddress = "$IpAddress$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$IpAddress$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Privilege Escalation' - 'Active Directory Lateral Movement' asset_type:Endpoint confidence:50 impact:60 message:A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes. mitre_attack_id: - 'T1135' - 'T1078' observable: name:'IpAddress' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'ServiceName' - 'TargetUserName' - 'IpAddress' risk_score:30 security_domain:endpoint
