LoFP / an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.

Techniques

• T1078
• T1135
• T1558
• T1558.003

Sample rules

Unusual Number of Kerberos Service Tickets Requested

• source: splunk
• technicques:
  • T1558
  • T1558.003

Description

The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.

Detection logic

`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 
| bucket span=2m _time  
| stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src 
| eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src 
| eval upperBound=(comp_avg+comp_std*3)  
| eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)  
| search isOutlier=1 
| `unusual_number_of_kerberos_service_tickets_requested_filter`

Windows Large Number of Computer Service Tickets Requested

• source: splunk
• technicques:
  • T1135
  • T1078

Description

The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.

Detection logic

`wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$" 
| bucket span=5m _time 
| stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets by _time, IpAddress, TargetUserName 
| where unique_targets > 30 
| `windows_large_number_of_computer_service_tickets_requested_filter`