Back Id 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb Rulename Alsid Golden Ticket Description Searches for Golden Ticket attacks Severity High Tactics CredentialAccess Techniques T1558.001 Required data connectors AlsidForAD Kind Scheduled Query frequency 2h Query period 2h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/GoldenTicket.yaml Version 1.0.1 Arm template 21ab3f52-6d79-47e3-97f8-ad65f2cb29fb.json
KQL afad_parser | where MessageType == 2 and Codename == "Golden Ticket" | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.
Back Id 12134de5-361b-427c-a1a0-d43f40a593c4 Rulename Detect Potential Kerberoast Activities Description This query aim to detect if someone requests service tickets (where count => maxcount)
The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003)
@MattiasBorg82 Severity Medium Tactics CredentialAccess Techniques T1558.003 Required data connectors MicrosoftThreatProtection Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Execution/PotentialKerberoastActivities.yaml Version 1.
Back Id 1572e66b-20a7-4012-9ec4-77ec4b101bc8 Rulename Potential Kerberoasting Description A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment.
Each SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment.
An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account.
Back Id ef88eb96-861c-43a0-ab16-f3835a97c928 Rulename Powershell Empire Cmdlets Executed in Command Line Description This query identifies use of PowerShell Empire’s cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool. Severity Medium Tactics Collection
CommandAndControl
CredentialAccess
DefenseEvasion
Discovery
Execution
Exfiltration
LateralMovement
Persistence
PrivilegeEscalation Techniques T1548.002
T1134
T1134.002
T1134.005
T1087.001
T1087.002
T1557.001
T1071.001
T1560
T1547.001
T1547.005
T1547.009
T1217
T1115
T1059
T1059.001
T1059.003
T1136.001
T1136.002
Back Id 9ff3b26b-7636-412e-ac46-072b084b94cb Rulename Semperis DSP Kerberos krbtgt account with old password Description The krbtgt user account is a special (disabled) user account in every Active Directory domain that has a special role in Kerberos function. If this account’s password is compromised, Golden Ticket attacks can be performed to get access to any resource in the AD domain. This indicator looks for a krbtgt user account whose password hasn’t been changed in the past 180 days.
Back Id d1abda25-f88a-429a-8163-582533cd0def Rulename Tenable.ad Golden Ticket Description Searches for Golden Ticket attacks. Severity High Tactics CredentialAccess Techniques T1558.001 Required data connectors Tenable.ad Kind Scheduled Query frequency 2h Query period 2h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdGoldenTicket.yaml Version 1.0.1 Arm template d1abda25-f88a-429a-8163-582533cd0def.json
KQL // For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace // Retrieve the parser here: https://raw.
Back Id 216e12dd-165a-4537-b241-32e1bd3330c7 Rulename TIE Golden Ticket Description Searches for Golden Ticket attacks. Severity High Tactics CredentialAccess Techniques T1558.001 Required data connectors TenableIE Kind Scheduled Query frequency 2h Query period 2h Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tenable App/Analytic Rules/TIEGoldenTicket.yaml Version 1.0.1 Arm template 216e12dd-165a-4537-b241-32e1bd3330c7.json
KQL // For the query to work properly, make sure you have imported the afad_parser.yaml parser into the workspace // Retrieve the parser here: https://aka.
