Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Kerberoasting Activity - Initial Query

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kostastsaleCreated Fri Jan 21Updated Sun Oct 19d04ae2b8-ad54-4de0-bd87-4bc1da66aa59windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        EventID: 4769
        Status: '0x0' # Translated as status from failure code field. Query only for successes
        TicketEncryptionType: '0x17' # RC4 ticket encryption type
    filter_main_krbtgt:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_machine_accounts:
        TargetUserName|contains: '$@' # Ignore requests from machines
    condition: selection and not 1 of filter_main_*
False Positives

Legacy applications.

References
1
Resolving title…
trustedsec.com
2
Resolving title…
adsecurity.org
MITRE ATT&CK
Rule Metadata
Rule ID
d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
Status
test
Level
medium
Type
Detection
Created
Fri Jan 21
Modified
Sun Oct 19
Author
kostastsale
Path
rules/windows/builtin/security/win_security_kerberoasting_activity.yml
Raw Tags
attack.credential-accessattack.t1558.003
View on GitHub