Loading

Suspicious Kerberos Authentication Ticket Request

Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.

Rule type: eql
Rule indices:

  • logs-endpoint.events.network-*
  • logs-windows.sysmon_operational-*
  • logs-system.security*
  • logs-windows.forwarded*
  • winlogbeat-*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Endpoint
  • Domain: Identity
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Lateral Movement
  • Use Case: Active Directory Monitoring
  • Data Source: Active Directory
  • Data Source: Elastic Defend
  • Data Source: Sysmon
  • Data Source: Windows Security Event Logs
  • Resources: Investigation Guide

Version: 5
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

  • Which Timeline member events define this Kerberos sequence?

    • Focus: Timeline members keyed by alert source.ip and source.port; recover source process.executable, Kerberos destination.ip, and auth event.code.
    • Hint: record host.id and process.entity_id; verify auth winlog.computer_name is the DC.
    • Implication: escalate when one non-"lsass.exe" source process maps to a DC "4768" or "4769" event in the sequence window; lower concern for socket reuse, a different process, or non-DC destination.

  • Is the recovered source process a recognized Kerberos-capable client?

    • Focus: process.executable, process.hash.sha256, process.pe.original_file_name, process.code_signature.subject_name, and process.code_signature.trusted.
    • Hint: open process start with recovered host.id and process.entity_id; if absent, use host.id, process.pid, and sequence window.
    • Implication: escalate when the binary is unsigned, renamed, user-writable, signer-mismatched, or outside known AD audit, Kerberos diagnostic, or security-test tooling; lower concern only when path, signer, hash history, command, and parent converge on one known tool.

  • Does command-line and parentage show ticket-tool intent?

    • Focus: recovered process.command_line, process.parent.executable, process.parent.command_line, and broader process lineage when needed.
    • Implication: escalate on Bifrost-like verbs or flags such as asktgt, asktgs, s4u, ptt, kerberoast, service/SPN targets, hashes, keytabs, RC4, or base64 tickets, especially from shell or script parents; bounded diagnostics from a recognized admin tool reduce but do not clear concern.

  • Which ticket path and target account did the DC member event show?

    • Focus: recovered auth event.code, winlog.event_data.TargetUserName, and winlog.event_data.TargetDomainName.
    • Implication: escalate when "4769" shows service-ticket activity or "4768" shows TGT handling for privileged, service, machine, or delegation-sensitive targets from the unusual process; fan-out increases concern.

  • Does the source user and session context fit one bounded admin or audit source?

    • Focus: recovered user.id, user.name, user.domain, and winlog.event_data.TargetUserName.
    • Implication: escalate when privileged, service, or user-account tickets originate from a workstation, user session, or non-management tool; lower concern only when source host, user, process identity, command/parent, and target account recur as one bounded Kerberos diagnostic or audit pattern.

  • Do surrounding Kerberos events show repetition or account fan-out?

    • Focus: same-source Kerberos network and authentication events, checking additional "4768"/"4769" events and winlog.event_data.TargetUserName.
      • $investigate_0
      • $investigate_1
    • Implication: escalate when requests repeat or fan out across accounts; a single bounded request narrows scope but does not close if process identity or command intent remains suspicious. Missing network or authentication telemetry is unresolved, not benign.

  • Do later logon or explicit-credential events suggest ticket use?

    • Focus: same-source authentication results, checking later event.code "4624"/"4648", winlog.event_data.TargetUserName, and 4648 winlog.event_data.TargetServerName.
    • Implication: escalate when post-ticket logon or explicit-credential activity reaches sensitive accounts or servers from the same source; absence narrows impact but does not close if the ticket request remains suspicious. Missing same-source authentication telemetry leaves ticket use unresolved, not benign.

  • If local evidence remains suspicious or unresolved, does the same source show related alerts?

    • Focus: related alerts for source.ip; manually pivot on recovered process.hash.sha256 or winlog.event_data.TargetUserName when locally suspicious. $investigate_2
    • Implication: broaden scope when credential-access, Kerberoasting, relay, or lateral-movement alerts share the source, process, or target account; keep local only when related alerts are absent and recovered evidence resolves cleanly.

  • Escalate when sequence recovery, source-process identity, command intent, DC ticket target, account context, or surrounding ticket/logon activity show unauthorized direct Kerberos; close only when telemetry binds one recognized tool, source host, user, and target account and outside confirmation verifies exact activity when telemetry cannot; preserve and escalate when visibility is incomplete or evidence conflicts.

  • AD audit tools, Kerberos diagnostics, interoperability testing, or security testing can request tickets directly instead of through "lsass.exe". Confirm only when process path, signer/hash, parent, command line, source.ip, user.id, event.code, and target account align with the same recognized tool on a dedicated admin, lab, or audit source; without outside records, require the same process identity, source host/user, target account, and bounded ticket pattern across prior alerts from this rule.
  • Treat partial matches as unresolved when process identity fits but the command targets unusual SPNs, privileged accounts, RC4/kerberoast behavior, or follow-on "4624"/"4648" activity. Do not close on signer, source IP, or event code alone when ticket target or command intent contradicts benign workflow.
  • Before creating an exception, anchor it to the minimum stable workflow: dedicated source.ip or source host, process signer/hash/path, parent workflow, user.id, target account, and bounded event.code pattern. Avoid exceptions on source.port, event.code, process name, or broad account patterns alone.
  • If confirmed benign, reverse temporary containment and document the recovered source host/IP, process identity, command line, source user, DC ticket event, and target account that proved the recognized workflow. Create an exception only after the same dedicated source and process pattern recurs consistently.
  • If suspicious but unconfirmed, preserve the alert, Timeline member events, suspicious process binary and command line, source socket, DC authentication record, and any follow-on "4624" or "4648" evidence before containment or process action.
  • Apply reversible containment next: restrict the recovered source host's Kerberos/DC access or isolate the host when its role tolerates isolation, and suspend the recovered process only after process and authentication artifacts are captured.
  • If confirmed malicious, isolate the recovered source host, terminate or suspend the recovered process after recording its process.entity_id, expire exposed Kerberos tickets where operationally appropriate, and reset or rotate impacted credentials, prioritizing privileged, service, machine, and delegation-capable accounts.
  • Before cleanup, search for the same source IP, recovered process hash, target account, and related credential-access, Kerberoasting, relay, or lateral-movement activity so scope is not limited to the first sequence.
  • After containment, retain DC "4768"/"4769" auditing and endpoint network telemetry, restrict direct Kerberos tooling to controlled admin/testing hosts, and document the recovered tool pattern and any logging gaps in the case record.
sequence by source.port, source.ip with maxspan=3s
 [network where host.os.type == "windows" and destination.port == 88 and
  process.executable != null and process.pid != 4 and
  not process.executable : (
        "?:\\Windows\\system32\\lsass.exe",
        "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe",
        "\\device\\harddiskvolume*\\windows\\system32\\svchost.exe"
  ) and
  not (
    process.executable : (
      "C:\\Windows\\System32\\svchost.exe",
      "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
      "C:\\Program Files\\Omnissa\\Horizon\\Server\\bin\\ws_TomcatService.exe",
      "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe"
    ) and
    user.id in ("S-1-5-20", "S-1-5-18")
  ) and
  source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
 [authentication where host.os.type == "windows" and event.code in ("4768", "4769")]

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK