Beefing out kerberoast detection

splunk · Oct 17, 2024 · dc4ca9f · dc4ca9f
1 parent ab830eb
commit dc4ca9f
Showing 1 changed file with 20 additions and 13 deletions.
diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml
@@ -1,8 +1,8 @@
 name: Unusual Number of Kerberos Service Tickets Requested
 id: eb3e6702-8936-11ec-98fe-acde48001122
-version: 4
-date: '2024-09-24'
-author: Mauricio Velazco, Splunk
+version: 5
+date: '2024-10-17'
+author: Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: Anomaly
 description: 'The following analytic identifies an unusual number of Kerberos service
@@ -14,12 +14,15 @@ description: 'The following analytic identifies an unusual number of Kerberos se
   to sensitive accounts and escalation of privileges within the Active Directory environment.'
 data_source:
 - Windows Event Log Security 4769
-search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
-  | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName)
-  as requested_services by _time, src | eventstats avg(unique_services) as comp_avg
-  , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3)
-  | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)
-  | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`'
+search: >-
+  `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010)
+  | bucket span=2m _time 
+  | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src
+  | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src
+  | eval upperBound=(comp_avg+comp_std*3) 
+  | eval isOutlier=if(unique_services > 5 and unique_services >= upperBound, 1, 0) 
+  | search isOutlier=1
+  | `unusual_number_of_kerberos_service_tickets_requested_filter`
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller and Kerberos events. The Advanced Security Audit policy setting
   `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
@@ -34,9 +37,9 @@ tags:
   analytic_story:
   - Active Directory Kerberos Attacks
   asset_type: Endpoint
-  confidence: 60
-  impact: 60
-  message: tbd
+  confidence: 80
+  impact: 80
+  message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack
   mitre_attack_id:
   - T1558
   - T1558.003
@@ -45,6 +48,10 @@ tags:
     type: Endpoint
     role:
     - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -58,7 +65,7 @@ tags:
   - Service_Name
   - service_id
   - Client_Address
-  risk_score: 36
+  risk_score: 64
   security_domain: endpoint
 tests:
 - name: True Positive Test