Detection rules › Sigma
Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4769 | A Kerberos service ticket was requested. |
Stages and Predicates
Stage 1: selection
Status: 0x0
TicketEncryptionType: 0x17
Stage 2: not 1 of filter_main_*
or:
ServiceName|endswith: '$'
ServiceName|endswith: krbtgt
TargetUserName|contains: '$@'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ServiceName | ends_with |
|
Status | eq |
|
TargetUserName | match |
|
TicketEncryptionType | eq |
|