Detection rules › Splunk
Kerberos User Enumeration
The following analytic detects an unusual number of Kerberos Ticket Granting Ticket (TGT) requests for non-existing users from a single source endpoint. It leverages Event ID 4768 and identifies anomalies using the 3-sigma statistical rule. This behavior is significant as it may indicate an adversary performing a user enumeration attack against Active Directory. If confirmed malicious, the attacker could validate a list of usernames, potentially leading to further attacks such as brute force or credential stuffing, compromising the security of the environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1589.002 Gather Victim Identity Information: Email Addresses |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4768 | A Kerberos authentication ticket (TGT) was requested. |
Stages and Predicates
Stage 1: search
search EventCode=4768 Status=0x6 TargetUserName!="*$"
Stage 2: bucket
bucket span=2m _time
Stage 3: stats
stats dc(TargetUserName) AS unique_accounts, … AS tried_accounts, … AS dest BY _time, src_ip
Stage 4: eventstats
eventstats avg(unique_accounts) AS comp_avg BY src_ip
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_accounts, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Status | eq |
|
TargetUserName | ne |
|
isOutlier | eq |
|