Kerberos attacks

Query Information

MITRE ATT&CK Technique(s)

Technique ID	Title	Link
T1649	Steal or Forge Authentication Certificates	https://attack.mitre.org/techniques/T1649/
T1558.003	Kerberoasting	https://attack.mitre.org/techniques/T1558/003/
T1558	Steal or Forge Kerberos Tickets	https://attack.mitre.org/techniques/T1558/
T1558.004	AS-REP Roasting	https://attack.mitre.org/techniques/T1558/004/
T1558.001	Golden Ticket	https://attack.mitre.org/techniques/T1558/001/
T1550.003	Pass the Ticket	https://attack.mitre.org/techniques/T1550/003/
T1550.003	Pass the Ticket	https://attack.mitre.org/techniques/T1550/003/
T1110	Brute Force	https://attack.mitre.org/techniques/T1110/
T1558.002	Silver Ticket	https://attack.mitre.org/techniques/T1558/002/

Description

Risk

Author

Name: Gavin Knapp
Github: https://github.com/m4nbat
Twitter: https://twitter.com/knappresearchlb
LinkedIn: https://www.linkedin.com/in/grjk83/
Website:

References

Microsoft TI (Closed)

Advanced Hunting

Microsoft Defender Antivirus Detections

AlertInfo 
| where Title has_any ("Successful logon using overpass-the-hash with potentially stolen credentials","Command line used for possible overpass-the-hash")

The following alerts might also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report:

AlertInfo 
| where Title has_any ("AD reconnaissance activities","Process related to possible AD reconnaissance","Suspicious Lsass Process Access","Bloodhound post-exploitation tool")

Microsoft Defender for Identity Detection

IdentityDirectoryEvents
| where ActionType == "Potential lateral movement path identified"
| project Timestamp, ActionType, Application, AccountName, AccountDomain, AccountSid, AccountDisplayName, DeviceName, AdditionalFields

Common Mimikatz command lines

DeviceProcessEvents
| where ProcessCommandLine has_any ('sekurlsa::tickets /export', 'kerberos::ptt')
| project Timestamp, AccountName, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

Common Rubeus command lines

DeviceProcessEvents
| where ProcessCommandLine has_any ('ptt /ticket', ' monitor /interval', ' asktgt', ' asktgs', ' golden', ' silver', ' kerberoast', ' asreproast', ' renew', ' brute')
| project Timestamp, AccountName, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nf_ttp_generic_kerberos_attacks.md

nf_ttp_generic_kerberos_attacks.md

Kerberos attacks

Query Information

MITRE ATT&CK Technique(s)

Description

Risk

Author

References

Advanced Hunting

Microsoft Defender Antivirus Detections

The following alerts might also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report:

Microsoft Defender for Identity Detection

Common Mimikatz command lines

Common Rubeus command lines

Files

nf_ttp_generic_kerberos_attacks.md

Latest commit

History

nf_ttp_generic_kerberos_attacks.md

File metadata and controls

Kerberos attacks

Query Information

MITRE ATT&CK Technique(s)

Description

Risk

Author

References

Advanced Hunting

Microsoft Defender Antivirus Detections

The following alerts might also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report:

Microsoft Defender for Identity Detection

Common Mimikatz command lines

Common Rubeus command lines