splApache-2.0from splunk/security_content
Unusual Number of Kerberos Service Tickets Requested
The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml
`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
| bucket span=2m _time
| stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category values(dest) as dest
BY _time, user, src
| eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std
BY user, src
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)
| search isOutlier=1
| `unusual_number_of_kerberos_service_tickets_requested_filter`