Adversaries may use LDAP queries to identify Kerberoastable accounts in Active Directory, leveraging Kerberos preauthentication weaknesses to extract service account credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential credential compromise before attackers can exploit the discovered accounts.
KQL Query
let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304";
let ASREP_ROASTING1 = "userAccountControl|4194304";
let ASREP_ROASTING2 = "userAccountControl&4194304";
let KERBEROASTING = "serviceprincipalname=*";
let LDAP_PORT = 389;
let ExcludeNtAuthorityProcess = true;
let AzureAtpLdap = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SearchFilter contains ASREP_ROASTING or
SearchFilter contains ASREP_ROASTING1 or
SearchFilter contains ASREP_ROASTING2 or
SearchFilter contains KERBEROASTING
| extend Time = bin(Timestamp, 1s)
| extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0])));
let MDAtpNetworkToProcess = (
DeviceNetworkEvents
| extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0]))
| where RemotePort == LDAP_PORT
| extend Time = bin(Timestamp, 1s)
| extend isExclude = iff( ExcludeNtAuthorityProcess and InitiatingProcessAccountDomain == "nt authority" , true, false));
AzureAtpLdap
| join kind=leftouter (
MDAtpNetworkToProcess ) on DeviceNameWithoutDomain, Time
| where isExclude == false or isnull(isExclude)
id: 17a34f6c-b3ba-42a0-810a-1746281e672d
name: Roasting
description: |
Detect Active Directory LDAP queries that search for Kerberoasting (SPNs) or accounts with Kerberos preauthentication not required from Azure ATP, and try to get the process initiated the LDAP query from MDATP.
Replace 389 on line 5 with LDAP port in your environment
Replace true on line 6 to false if you want to include Nt Authority process
This LDAP query cover Rubeus, Kerberoast, BloodHound tools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
- DeviceNetworkEvents
query: |
let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304";
let ASREP_ROASTING1 = "userAccountControl|4194304";
let ASREP_ROASTING2 = "userAccountControl&4194304";
let KERBEROASTING = "serviceprincipalname=*";
let LDAP_PORT = 389;
let ExcludeNtAuthorityProcess = true;
let AzureAtpLdap = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SearchFilter contains ASREP_ROASTING or
SearchFilter contains ASREP_ROASTING1 or
SearchFilter contains ASREP_ROASTING2 or
SearchFilter contains KERBEROASTING
| extend Time = bin(Timestamp, 1s)
| extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0])));
let MDAtpNetworkToProcess = (
DeviceNetworkEvents
| extend DeviceNameWithoutDomain = tolower(tostring(split(DeviceName, '.')[0]))
| where RemotePort == LDAP_PORT
| extend Time = bin(Timestamp, 1s)
| extend isExclude = iff( ExcludeNtAuthorityProcess and InitiatingProcessAccountDomain == "nt authority" , true, false));
AzureAtpLdap
| join kind=leftouter (
MDAtpNetworkToProcess ) on DeviceNameWithoutDomain, Time
| where isExclude == false or isnull(isExclude)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: Scheduled Kerberos Ticket Renewal Job
Description: A legitimate scheduled task runs to renew Kerberos tickets for service accounts, which may trigger LDAP queries related to SPN lookups.
Filter/Exclusion: Exclude LDAP queries where the process is klist or kinit, or filter by process name krbtgt or kdc.
Scenario: Active Directory Replication Between DCs
Description: Domain controllers periodically replicate directory information, which may include LDAP queries for SPN or Kerberos preauthentication attributes.
Filter/Exclusion: Exclude LDAP queries originating from domain controllers (DCs) with IP addresses in the domain controller subnet or with msDS-Replication-Neighbour in the source DN.
Scenario: Admin Task to Audit SPNs
Description: An administrator uses tools like ldapsearch or ADSI Edit to manually audit SPNs and Kerberos preauthentication settings.
Filter/Exclusion: Exclude LDAP queries initiated by known admin tools (e.g., ldapsearch, adsiedit, dsquery) or users with elevated privileges (e.g., Domain Admins).
Scenario: Azure ATP Integration with On-Premises AD
Description: Azure ATP synchronizes with on-premises Active Directory, which may involve LDAP queries to fetch Kerberos-related attributes.
Filter/Exclusion: Exclude LDAP queries from the Azure ATP sync service (e.g., Azure ATP Sync process or IP ranges associated with Azure services).
Scenario: Kerberoasting Tool Usage for Security Testing
Description: Security teams use tools like PowerView, Kerberoast, or Invoke-Mimikatz to test for vulnerable SPNs in a controlled environment.
Filter/Exclusion: Exclude LDAP queries initiated by security