Try in Splunk Security Cloud

Description

This search detects a potential kerberoasting attack via service principal name requests

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-10-16
  • Author: Jose Hernandez, Patrick Bareiss, Splunk
  • ID: 5cc67381-44fa-4111-8a37-7a230943f027

ATT&CK

ID Technique Tactic
T1558.003 Kerberoasting Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access
`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `kerberoasting_spn_request_with_rc4_encryption_filter`

Associated Analytic Story

How To Implement

You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos

Required field

  • _time
  • EventCode
  • Ticket_Options
  • Ticket_Encryption_Type
  • dest
  • service
  • service_id

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Older systems that support kerberos RC4 by default NetApp may generate false positives

RBA

Risk Score Impact Confidence Message
72.0 90 80 Potential kerberoasting attack via service principal name requests detected on $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3