Detection rules › Splunk
Unusual Number of Kerberos Service Tickets Requested
The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4769 | A Kerberos service ticket was requested. |
Stages and Predicates
Stage 1: search
search EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
Stage 2: bucket
bucket span=2m _time
Stage 3: stats
stats dc(ServiceName) AS unique_services, … AS requested_services, … AS user_category, … AS src_category, … AS dest BY _time, user, src
Stage 4: eventstats
eventstats avg(unique_services) AS comp_avg BY user, src
Stage 5: eval
eval ... using (comp_avg, comp_std)
Stage 6: eval
eval ... using (unique_services, upperBound)
Stage 7: search
search isOutlier=1
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ServiceName | ne |
|
TicketEncryptionType | eq |
|
isOutlier | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Kerberoasting spn request with RC4 encryption (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Suspicious Kerberos Service Ticket Request (drops 2 filters this rule applies)