Adversaries may request multiple service tickets to extract Kerberos password hashes, which can be used for credential reuse. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Kerberoasting attacks and mitigate lateral movement risks.
KQL Query
let MaxCount = 70; //Number of requests per 2 minute timeframe, depending on org size.
IdentityLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess"
| where Protocol == "Kerberos"
| extend json = todynamic(parse_json(tostring(AdditionalFields)))
| extend SPN = json.Spns,
AttackTechniques = json.AttackTechniques
| project-away json
| where isnotempty(SPN)
| where AttackTechniques has "T1558.003"
| mv-expand SPN
| extend SPNType = tostring(extract(@"^\w+",0,tostring(SPN)))
| distinct tostring(SPN),DeviceName,AccountUpn, AccountSid,bin(Timestamp,2m),ReportId, tostring(AttackTechniques)
| summarize count(), SPNS=(make_list(SPN)),ReportId=tostring((make_list(ReportId))[0]) by AccountUpn,AccountSid,DeviceName, bin(Timestamp, 2m), tostring(AttackTechniques)
| extend SPNS = (replace_regex(tostring(SPNS), @'[^\w+-\/]+', ''))
| where count_ >= MaxCountid: ed25a5c7-2051-44f4-be22-b6cd2f0ad2d0
name: Detect potential kerberoast activities
description: |
This query aim to detect if someone requests service tickets (where count => maxcount)
The query requires trimming to set a baseline level for MaxCount
Mitre Technique: Kerberoasting (T1558.003)
@MattiasBorg82
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityLogonEvents
tactics:
- Lateral movement
query: |
let MaxCount = 70; //Number of requests per 2 minute timeframe, depending on org size.
IdentityLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess"
| where Protocol == "Kerberos"
| extend json = todynamic(parse_json(tostring(AdditionalFields)))
| extend SPN = json.Spns,
AttackTechniques = json.AttackTechniques
| project-away json
| where isnotempty(SPN)
| where AttackTechniques has "T1558.003"
| mv-expand SPN
| extend SPNType = tostring(extract(@"^\w+",0,tostring(SPN)))
| distinct tostring(SPN),DeviceName,AccountUpn, AccountSid,bin(Timestamp,2m),ReportId, tostring(AttackTechniques)
| summarize count(), SPNS=(make_list(SPN)),ReportId=tostring((make_list(ReportId))[0]) by AccountUpn,AccountSid,DeviceName, bin(Timestamp, 2m), tostring(AttackTechniques)
| extend SPNS = (replace_regex(tostring(SPNS), @'[^\w+-\/]+', ''))
| where count_ >= MaxCount| Sentinel Table | Notes |
|---|---|
IdentityLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to generate service tickets for regular maintenance tasks.
Filter/Exclusion: Exclude events where the requesting user is a known admin account (e.g., domain admins, service accounts) or where the request is part of a scheduled job (e.g., ScheduledTaskName contains “maintenance”).
Scenario: A Kerberos authentication audit is being performed by the Microsoft Event Viewer or Syslog to monitor ticket requests for compliance.
Filter/Exclusion: Exclude events where the source is a known log collection or monitoring tool (e.g., EventSource is “Security” and EventID is 4624 or 4625).
Scenario: A backup job is configured to use Kerberos for secure credential transfer, resulting in frequent service ticket requests.
Filter/Exclusion: Exclude events where the service principal name (SPN) matches a known backup service (e.g., SPN contains “backup” or “sqlbackup”).
Scenario: A third-party application (e.g., SQL Server, Exchange, or Active Directory tools) is requesting service tickets as part of its normal operation.
Filter/Exclusion: Exclude events where the service principal name (SPN) matches known third-party services (e.g., SPN contains “MSSQL”, “EXCH”, or “ADWS”).
Scenario: A scheduled task is configured to run under a service account and requires Kerberos authentication for access to a remote service.
Filter/Exclusion: Exclude events where the task is part of a known scheduled job (e.g., TaskName contains “scheduled”, “backup”, or “reporting”).