Adversaries may attempt to exploit Kerberos AS authentications to gain unauthorized access or escalate privileges within the network. SOC teams should proactively hunt for this behavior to identify potential credential theft or lateral movement tactics in their Azure Sentinel environment.
KQL Query
// This query shows attempts to request Kerberos service ticket using the AS service which is usually providing TGTs (Ticket Granting Tickets).
IdentityLogonEvents
| where Application == "Active Directory"
| where Protocol == "Kerberos"
| where LogonType in("Resource access", "Failed logon")
| extend Error = AdditionalFields["Error"]
| extend KerberosType = AdditionalFields['KerberosType']
| where KerberosType == "KerberosAs"
| extend Spns = AdditionalFields["Spns"]
| extend DestinationDC = AdditionalFields["TO.DEVICE"]
| where Spns !contains "krbtgt" and Spns !contains "kadmin"
| project Timestamp, ActionType, LogonType, AccountUpn, AccountSid, IPAddress, DeviceName, KerberosType, Spns, Error, DestinationDC, DestinationIPAddress, ReportId
id: 8abe561f-eecd-45cb-a0a3-152189d2c064
name: Kerberos AS authentications
description: |
This query shows attempts to request Kerberos service ticket using the AS service, to monitor Kerberos AS authentications.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityLogonEvents
tactics:
- Credential Access
relevantTechniques: []
query: |
// This query shows attempts to request Kerberos service ticket using the AS service which is usually providing TGTs (Ticket Granting Tickets).
IdentityLogonEvents
| where Application == "Active Directory"
| where Protocol == "Kerberos"
| where LogonType in("Resource access", "Failed logon")
| extend Error = AdditionalFields["Error"]
| extend KerberosType = AdditionalFields['KerberosType']
| where KerberosType == "KerberosAs"
| extend Spns = AdditionalFields["Spns"]
| extend DestinationDC = AdditionalFields["TO.DEVICE"]
| where Spns !contains "krbtgt" and Spns !contains "kadmin"
| project Timestamp, ActionType, LogonType, AccountUpn, AccountSid, IPAddress, DeviceName, KerberosType, Spns, Error, DestinationDC, DestinationIPAddress, ReportId
version: 1.0.0
metadata:
source:
kind: Community
author:
name: Lior Shapira
support:
tier: Community
categories:
domains: [ "Security - Identity" ]
| Sentinel Table | Notes |
|---|---|
IdentityLogonEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell’s klist command to manage Kerberos tickets for a scheduled job that runs periodically.
Filter/Exclusion: Exclude events where the user is a known admin account (e.g., Administrator, Domain Admins) and the command is klist or kinit.
Scenario: A SQL Server Agent job is configured to run under a service account and requires Kerberos authentication to access a remote SQL Server.
Filter/Exclusion: Exclude events where the source is a SQL Server service account and the destination is a known SQL Server instance.
Scenario: A Windows Update service is requesting a Kerberos ticket to authenticate with a domain controller during a patch deployment.
Filter/Exclusion: Exclude events where the source service is wuauserv (Windows Update) and the destination is a domain controller.
Scenario: A backup job using Veeam Backup & Replication is authenticating via Kerberos to access a protected virtual machine.
Filter/Exclusion: Exclude events where the source process is VeeamBackup.exe and the destination is a virtual machine or backup repository.
Scenario: A network discovery tool like Nmap is performing a Kerberos AS request to test authentication against a domain controller.
Filter/Exclusion: Exclude events where the source process is nmap.exe or the destination is a known domain controller IP address.