Detection rules › Splunk
Unusual Number of Kerberos Service Tickets Requested
The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4769 | A Kerberos service ticket was requested. |
Rule body splunk
name: Unusual Number of Kerberos Service Tickets Requested
id: eb3e6702-8936-11ec-98fe-acde48001122
version: 14
creation_date: '2022-02-16'
modification_date: '2026-05-13'
author: Mauricio Velazco, Dean Luxton, Splunk
status: production
type: Anomaly
description: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
data_source:
- Windows Event Log Security 4769
search: |-
`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
| bucket span=2m _time
| stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category values(dest) as dest
BY _time, user, src
| eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std
BY user, src
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)
| search isOutlier=1
| `unusual_number_of_kerberos_service_tickets_requested_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
references:
- https://attack.mitre.org/techniques/T1558/003/
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
drilldown_searches:
- name: View the detection results for - "$src$"
search: '%original_detection_search% | search src = "$src$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: src
type: system
score: 20
message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack
- field: user
type: user
score: 20
message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack
analytic_story:
- Active Directory Kerberos Attacks
asset_type: Endpoint
mitre_attack_id:
- T1558.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
Stage 2: bucket
| bucket span=2m _time
Stage 3: stats
| stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category values(dest) as dest
BY _time, user, src
Stage 4: eventstats
| eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std
BY user, src
Stage 5: eval
| eval upperBound=(comp_avg+comp_std*3)
Stage 6: eval
| eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)
isOutlier =if
unique_services > 2 AND unique_services >= upperBound1else
0Stage 7: search
| search isOutlier=1
Stage 8: search
| `unusual_number_of_kerberos_service_tickets_requested_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ServiceName | ne |
|
TicketEncryptionType | eq |
|
isOutlier | eq |
|