Event ID 4769 — A Kerberos service ticket was requested.
Description
A Kerberos service ticket was requested.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Account Information] Account Name. |
Account_Domain | [Account Information] Account Domain. |
Service_Name | [Service Information] Service Name. Indicates the resource to which access was requested. |
Service_ID | [Service Information] Service ID. |
Ticket_Options | [Additional Information] Ticket Options. Bitmask flags
|
Ticket_Encryption_Type | [Additional Information] Ticket Encryption Type. Known values
|
Client_Address | [Network Information] Client Address. |
Client_Port | [Network Information] Client Port. |
Failure_Code | [Additional Information] Failure Code. NTSTATUS reference |
Logon_GUID | [Account Information] Logon GUID. |
Transited_Services | [Additional Information] Transited Services. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4769,
"version": 0,
"level": 0,
"task": 14337,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2021-12-12T17:57:52.277095Z",
"event_record_id": 2982083,
"correlation": {},
"execution": {
"process_id": 624,
"thread_id": 3652
},
"channel": "Security",
"computer": "01566s-win16-ir.threebeesco.com",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "labuser@CONTOSO.COM",
"TargetDomainName": "CONTOSO.COM",
"ServiceName": "01566S-WIN16-IR$",
"ServiceSid": "S-1-5-21-308926384-506822093-3341789130-35103",
"TicketOptions": "0x40810000",
"TicketEncryptionType": "0x12",
"IpAddress": "::ffff:172.16.66.19",
"IpPort": "50612",
"Status": "0x0",
"LogonGuid": "58ADC6C7-668E-A999-C52A-384B1CB8E553",
"TransmittedServices": "-"
}
}
Community Notes #
Tickets for hosts that a user previously hasn't accessed may indicate Pass-the-Ticket or RDP/WMI pivoting. Confirm that the target server is also the host that is contacted, and unusual/vulnerable encryption types (may indicate S4U2Proxy) like RC4. Check for movement between services or SPNs, and unusual service names.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Kerberoasting Activity - Initial Query source medium: This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
- Suspicious Kerberos RC4 Ticket Encryption source medium: Detects service ticket requests using RC4 encryption type
Splunk # view in reference
- Kerberoasting spn request with RC4 encryption source: The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.
- Kerberos Service Ticket Request Using RC4 Encryption source: The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.
- Suspicious Kerberos Service Ticket Request source: The following analytic detects suspicious Kerberos Service Ticket (TGS) requests where the requesting account name matches the service name, potentially indicating an exploitation attempt of CVE-2021-42278 and CVE-2021-42287. This detection leverages Event ID 4769 from Domain Controller and Kerberos events. Such activity is significant as it may represent an adversary attempting to escalate privileges by impersonating a domain controller. If confirmed malicious, this could allow an attacker to take control of the domain controller, leading to complete domain compromise and unauthorized access to sensitive information.
Show 3 more (6 total)
- Unusual Number of Computer Service Tickets Requested source: The following analytic identifies an unusual number of computer service ticket requests from a single source, leveraging Event ID 4769, "A Kerberos service ticket was requested." It uses statistical analysis, including standard deviation and the 3-sigma rule, to detect anomalies in service ticket requests. This activity is significant as it may indicate malicious behavior such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, facilitating further compromise and potential data exfiltration.
- Unusual Number of Kerberos Service Tickets Requested source: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
- Windows Large Number of Computer Service Tickets Requested source: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx