Managed Sentinel – Alert 143
|Alert Name||Potential Kerberoasting|
|Description||A service principal name (SPN) is used to uniquely identify a service instance in Windows environment. Each SPN is usually associated with a service account.|
A lot of organizations use service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account.
This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within a small window of time the last hour out of the previous 24 hours
Normal users would not make unusually large number of request within a small time window. This is based of 4769 events which can be very noisy so environment based tweaking might be needed.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Credential Access|
|False Positives||Microsoft Windows update (regular)|
|Recommendations||1. Run a full EDR scan on your Active Directory Domain Controller|
2. Via Azure Sentinel console investigate all related events to this alert
3. If required reset password or disable the service account
4. Identify the originator host(s) or AD account which generated the event 4769. Perform a full EDR scan on the originator machine, as potentially this host was breached and is used as an attack launchpoint inside your corporate network.