:warning: THIS IS A EXPERIMENTAL DETECTION

This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.

Try in Splunk Security Cloud

Description

This search detects a potential kerberoasting attack via service principal name requests

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel: Endpoint_Processes
  • Last Updated: 2020-10-21
  • Author: Xiao Lin, Splunk
  • ID: dabdd6d7-3e10-42be-8711-4e124f7a3850

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1558.003 Kerberoasting Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access
Kill Chain Phase
  • Actions on Objectives
NIST
  • DE.CM
CIS20
  • CIS 8
  • CIS 16
CVE 


1
2
3
4
5
6
7
8
9
10



 
| from read_ssa_enriched_events() 
| eval _time=map_get(input_event, "_time"), EventCode=map_get(input_event, "event_code"), TicketOptions=map_get(input_event, "ticket_options"), TicketEncryptionType=map_get(input_event, "ticket_encryption_type"), ServiceName=map_get(input_event, "service_name"), ServiceID=map_get(input_event, "service_id"), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where EventCode="4769" AND TicketOptions="0x40810000" AND TicketEncryptionType="0x17" 
| first_time_event input_columns=["EventCode","TicketOptions","TicketEncryptionType","ServiceName","ServiceID"] 
| where first_time_EventCode_TicketOptions_TicketEncryptionType_ServiceName_ServiceID 
| eval start_time=_time, end_time=_time 
| eval body=create_map(["event_id", event_id, "EventCode", EventCode, "ServiceName", ServiceName, "TicketOptions", TicketOptions, "TicketEncryptionType", TicketEncryptionType]), entities = mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)) 
| select start_time, end_time, entities, body 
| into write_ssa_detected_events();

Macros

The SPL above uses the following Macros:

:information_source: detect_kerberoasting_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • service_name
  • _time
  • event_code
  • ticket_encryption_type
  • service_id
  • ticket_options

How To Implement

The test data is converted from Windows Security Event logs generated from Attach Range simulation and used in SPL search and extended to SPL2

Known False Positives

Older systems that support kerberos RC4 by default NetApp may generate false positives

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
14.0 70 20 Kerberoasting malware is potentially applying stolen credentials. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2