Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential Kerberoasting

Back
Id1572e66b-20a7-4012-9ec4-77ec4b101bc8
RulenamePotential Kerberoasting
DescriptionA service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.

Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.

An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.

This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.
SeverityMedium
TacticsCredentialAccess
TechniquesT1558
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml
Version1.1.7
Arm template1572e66b-20a7-4012-9ec4-77ec4b101bc8.json
Deploy To Azure
let starttime = 1d;
let endtime = 1h;
let prev23hThreshold = 4;
let prev1hThreshold = 15;
let Kerbevent = (union isfuzzy=true
(SecurityEvent
| where TimeGenerated >= ago(starttime)
| where EventID == 4769
| parse EventData with * 'TicketEncryptionType">' TicketEncryptionType "<" *
| where TicketEncryptionType == '0x17'
| parse EventData with * 'TicketOptions">' TicketOptions "<" *
| where TicketOptions == '0x40810000'
| parse EventData with * 'Status">' Status "<" *
| where Status == '0x0'
| parse EventData with * 'ServiceName">' ServiceName "<" *
| where ServiceName !contains "$" and ServiceName !contains "krbtgt"
| parse EventData with * 'TargetUserName">' TargetUserName "<" *
| where TargetUserName !contains "$@" and TargetUserName !contains ServiceName
| parse EventData with * 'IpAddress">::ffff:' ClientIPAddress "<" *
),
(
WindowsEvent
| where TimeGenerated >= ago(starttime)
| where EventID == 4769 and EventData has '0x17' and EventData has '0x40810000' and EventData has 'krbtgt'
| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)
| where TicketEncryptionType == '0x17'
| extend TicketOptions = tostring(EventData.TicketOptions)
| where TicketOptions == '0x40810000'
| extend Status = tostring(EventData.Status)
| where Status == '0x0'
| extend ServiceName = tostring(EventData.ServiceName)
| where ServiceName !contains "$" and ServiceName !contains "krbtgt"
| extend TargetUserName = tostring(EventData.TargetUserName)
| where TargetUserName !contains "$@" and TargetUserName !contains ServiceName
| extend ClientIPAddress = tostring(EventData.IpAddress)
));
let Kerbevent23h = Kerbevent
| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)
by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
| where ServiceNameCountPrev23h < prev23hThreshold;
let Kerbevent1h =
Kerbevent
| where TimeGenerated >= ago(endtime)
| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)
by Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
Kerbevent1h
| join kind=leftanti
(
Kerbevent23h
) on TargetUserName, TargetDomainName
// Threshold value set above is based on testing, this value may need to be changed for your environment.
| where ServiceNameCountPrev1h > prev1hThreshold
| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,
TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend TargetAccount = strcat(TargetDomainName,  "\\", TargetUserName)
| project-away DomainIndex
name: Potential Kerberoasting
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1558
version: 1.1.7
description: |
  'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.
  Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.
  An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.
  This hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours.  Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: TargetAccount
  - identifier: Name
    columnName: TargetUserName
  - identifier: NTDomain
    columnName: TargetDomainName
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ClientIPAddress
  entityType: IP
tactics:
- CredentialAccess
queryPeriod: 1d
query: |
  let starttime = 1d;
  let endtime = 1h;
  let prev23hThreshold = 4;
  let prev1hThreshold = 15;
  let Kerbevent = (union isfuzzy=true
  (SecurityEvent
  | where TimeGenerated >= ago(starttime)
  | where EventID == 4769
  | parse EventData with * 'TicketEncryptionType">' TicketEncryptionType "<" *
  | where TicketEncryptionType == '0x17'
  | parse EventData with * 'TicketOptions">' TicketOptions "<" *
  | where TicketOptions == '0x40810000'
  | parse EventData with * 'Status">' Status "<" *
  | where Status == '0x0'
  | parse EventData with * 'ServiceName">' ServiceName "<" *
  | where ServiceName !contains "$" and ServiceName !contains "krbtgt"
  | parse EventData with * 'TargetUserName">' TargetUserName "<" *
  | where TargetUserName !contains "$@" and TargetUserName !contains ServiceName
  | parse EventData with * 'IpAddress">::ffff:' ClientIPAddress "<" *
  ),
  (
  WindowsEvent
  | where TimeGenerated >= ago(starttime)
  | where EventID == 4769 and EventData has '0x17' and EventData has '0x40810000' and EventData has 'krbtgt'
  | extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)
  | where TicketEncryptionType == '0x17'
  | extend TicketOptions = tostring(EventData.TicketOptions)
  | where TicketOptions == '0x40810000'
  | extend Status = tostring(EventData.Status)
  | where Status == '0x0'
  | extend ServiceName = tostring(EventData.ServiceName)
  | where ServiceName !contains "$" and ServiceName !contains "krbtgt"
  | extend TargetUserName = tostring(EventData.TargetUserName)
  | where TargetUserName !contains "$@" and TargetUserName !contains ServiceName
  | extend ClientIPAddress = tostring(EventData.IpAddress)
  ));
  let Kerbevent23h = Kerbevent
  | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)
  | summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)
  by Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status
  | where ServiceNameCountPrev23h < prev23hThreshold;
  let Kerbevent1h =
  Kerbevent
  | where TimeGenerated >= ago(endtime)
  | summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)
  by Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;
  Kerbevent1h
  | join kind=leftanti
  (
  Kerbevent23h
  ) on TargetUserName, TargetDomainName
  // Threshold value set above is based on testing, this value may need to be changed for your environment.
  | where ServiceNameCountPrev1h > prev1hThreshold
  | project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,
  TicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend TargetAccount = strcat(TargetDomainName,  "\\", TargetUserName)
  | project-away DomainIndex  
kind: Scheduled
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Microsoft Security Research
triggerThreshold: 0
id: 1572e66b-20a7-4012-9ec4-77ec4b101bc8
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1572e66b-20a7-4012-9ec4-77ec4b101bc8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1572e66b-20a7-4012-9ec4-77ec4b101bc8')]",
      "properties": {
        "alertRuleTemplateName": "1572e66b-20a7-4012-9ec4-77ec4b101bc8",
        "customDetails": null,
        "description": "'A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account. This can then be used for offline cracking.\nThis hunting query looks for accounts that are generating excessive requests to different resources within the last hour compared with the previous 24 hours.  Normal users would not make an unusually large number of request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.'\n",
        "displayName": "Potential Kerberoasting",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "TargetUserName",
                "identifier": "Name"
              },
              {
                "columnName": "TargetDomainName",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotentialKerberoast.yaml",
        "query": "let starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold = 15;\nlet Kerbevent = (union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769\n| parse EventData with * 'TicketEncryptionType\">' TicketEncryptionType \"<\" *\n| where TicketEncryptionType == '0x17'\n| parse EventData with * 'TicketOptions\">' TicketOptions \"<\" *\n| where TicketOptions == '0x40810000'\n| parse EventData with * 'Status\">' Status \"<\" *\n| where Status == '0x0'\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\"\n| parse EventData with * 'TargetUserName\">' TargetUserName \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| parse EventData with * 'IpAddress\">::ffff:' ClientIPAddress \"<\" *\n),\n(\nWindowsEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769 and EventData has '0x17' and EventData has '0x40810000' and EventData has 'krbtgt'\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\n| where TicketEncryptionType == '0x17'\n| extend TicketOptions = tostring(EventData.TicketOptions)\n| where TicketOptions == '0x40810000'\n| extend Status = tostring(EventData.Status)\n| where Status == '0x0'\n| extend ServiceName = tostring(EventData.ServiceName)\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\"\n| extend TargetUserName = tostring(EventData.TargetUserName)\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| extend ClientIPAddress = tostring(EventData.IpAddress)\n));\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName)\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h < prev23hThreshold;\nlet Kerbevent1h =\nKerbevent\n| where TimeGenerated >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName)\nby Computer, TargetUserName, TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\nKerbevent1h\n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, TargetDomainName\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\n| where ServiceNameCountPrev1h > prev1hThreshold\n| project StartTime = min_TimeGenerated, EndTime = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions,\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend TargetAccount = strcat(TargetDomainName,  \"\\\\\", TargetUserName)\n| project-away DomainIndex\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1558"
        ],
        "templateVersion": "1.1.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}