Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Semperis DSP Kerberos krbtgt account with old password

Back
Id9ff3b26b-7636-412e-ac46-072b084b94cb
RulenameSemperis DSP Kerberos krbtgt account with old password
DescriptionThe krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account’s password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn’t been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.
SeverityMedium
TacticsCredentialAccess
Required data connectorsSemperisDSP
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml
Version1.0.1
Arm template9ff3b26b-7636-412e-ac46-072b084b94cb.json
Deploy To Azure
dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Kerberos krbtgt account with old password"
| extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
queryFrequency: 1h
tactics:
- CredentialAccess
queryPeriod: 1h
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml
description: |
    'The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.'
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
version: 1.0.1
triggerThreshold: 0
severity: Medium
triggerOperator: gt
id: 9ff3b26b-7636-412e-ac46-072b084b94cb
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: LoginUser
    identifier: Name
  - columnName: NTDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
status: Available
name: Semperis DSP Kerberos krbtgt account with old password
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Kerberos krbtgt account with old password"
  | extend NTDomain = tostring(split(UserName, '\\', 0)[0]), LoginUser = tostring(split(UserName, '\\', 1)[0])
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9ff3b26b-7636-412e-ac46-072b084b94cb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9ff3b26b-7636-412e-ac46-072b084b94cb')]",
      "properties": {
        "alertRuleTemplateName": "9ff3b26b-7636-412e-ac46-072b084b94cb",
        "customDetails": null,
        "description": "'The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account's password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn't been changed in the past 180 days. While Microsoft recommends changing the password every year, STIG recommends changing it every 180 days.'\n",
        "displayName": "Semperis DSP Kerberos krbtgt account with old password",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "LoginUser",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_KerberoskrbtgtAccount.yaml",
        "query": "dsp_parser\n| where EventID == 9212\n| where SecurityIndicatorName == \"Kerberos krbtgt account with old password\"\n| extend NTDomain = tostring(split(UserName, '\\\\', 0)[0]), LoginUser = tostring(split(UserName, '\\\\', 1)[0])\n| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}