Managed Sentinel – Alert 143

Alert IDMS-A143
Alert NamePotential Kerberoasting
DescriptionA service principal name (SPN) is used to uniquely identify a service instance in Windows environment. Each SPN is usually associated with a service account.
A lot of organizations use service accounts with weak passwords in their environment. An attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains a hash of the Service account.
This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive requests to different resources within a small window of time the last hour out of the previous 24 hours
Normal users would not make unusually large number of request within a small time window. This is based of 4769 events which can be very noisy so environment based tweaking might be needed.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsCredential Access
Log sourcesWindows
False PositivesMicrosoft Windows update (regular)
Recommendations1. Run a full EDR scan on your Active Directory Domain Controller
2. Via Azure Sentinel console investigate all related events to this alert
3. If required reset password or disable the service account
4. Identify the originator host(s) or AD account which generated the event 4769. Perform a full EDR scan on the originator machine, as potentially this host was breached and is used as an attack launchpoint inside your corporate network.