Detection rules › Sigma

Kerberoasting Activity - Initial Query

Status
test
Severity
medium
Author
@kostastsale
Source
github.com/SigmaHQ/sigma

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

MITRE ATT&CK coverage

Event coverage

Rule body yaml

title: Kerberoasting Activity - Initial Query
id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
status: test
description: |
    This rule will collect the data needed to start looking into possible kerberoasting activity.
    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
references:
    - https://www.trustedsec.com/blog/art_of_kerberoast/
    - https://adsecurity.org/?p=3513
author: '@kostastsale'
date: 2022-01-21
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        Status: '0x0' # Translated as status from failure code field. Query only for successes
        TicketEncryptionType: '0x17' # RC4 ticket encryption type
    filter_main_krbtgt:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_machine_accounts:
        TargetUserName|contains: '$@' # Ignore requests from machines
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legacy applications.
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    EventID: 4769
    Status: '0x0' # Translated as status from failure code field. Query only for successes
    TicketEncryptionType: '0x17' # RC4 ticket encryption type

Stage 2: not filter_main_*

filter_main_krbtgt:
    ServiceName|endswith:
        - 'krbtgt' # Ignore requests for the krbtgt service
        - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
filter_main_machine_accounts:
    TargetUserName|contains: '$@' # Ignore requests from machines

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2ServiceNameends_with$
2ServiceNameends_withkrbtgt
2TargetUserNamematch$@

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Statuseq
  • 0x0 corpus 3 (kusto 2, sigma 1)
TicketEncryptionTypeeq
  • 0x17 corpus 8 (splunk 4, sigma 3, kusto 1)