Suspicious Kerberos Authentication Ticket Request

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious Kerberos Authentication Ticket Request

Correlates network connections to the standard Kerberos port by an unusual process from the source machine with a Kerberos authentication ticket request from the target domain controller.

Rule type: eql

Rule indices:

logs-endpoint.events.network-*
logs-windows.sysmon_operational-*
logs-system.security*
logs-windows.forwarded*
winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
Domain: Identity
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: Elastic Defend
Data Source: Sysmon
Data Source: Windows Security Event Logs
Resources: Investigation Guide

Version: 5

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Suspicious Kerberos Authentication Ticket Request

Possible investigation steps

Which Timeline member events define this Kerberos sequence?
Focus: Timeline members keyed by alert source.ip and source.port; recover source process.executable, Kerberos destination.ip, and auth event.code.
Hint: record host.id and process.entity_id; verify auth winlog.computer_name is the DC.
Implication: escalate when one non-"lsass.exe" source process maps to a DC "4768" or "4769" event in the sequence window; lower concern for socket reuse, a different process, or non-DC destination.
Is the recovered source process a recognized Kerberos-capable client?
Focus: process.executable, process.hash.sha256, process.pe.original_file_name, process.code_signature.subject_name, and process.code_signature.trusted.
Hint: open process start with recovered host.id and process.entity_id; if absent, use host.id, process.pid, and sequence window.
Implication: escalate when the binary is unsigned, renamed, user-writable, signer-mismatched, or outside known AD audit, Kerberos diagnostic, or security-test tooling; lower concern only when path, signer, hash history, command, and parent converge on one known tool.
Does command-line and parentage show ticket-tool intent?
Focus: recovered process.command_line, process.parent.executable, process.parent.command_line, and broader process lineage when needed.
Implication: escalate on Bifrost-like verbs or flags such as asktgt, asktgs, s4u, ptt, kerberoast, service/SPN targets, hashes, keytabs, RC4, or base64 tickets, especially from shell or script parents; bounded diagnostics from a recognized admin tool reduce but do not clear concern.
Which ticket path and target account did the DC member event show?
Focus: recovered auth event.code, winlog.event_data.TargetUserName, and winlog.event_data.TargetDomainName.
Implication: escalate when "4769" shows service-ticket activity or "4768" shows TGT handling for privileged, service, machine, or delegation-sensitive targets from the unusual process; fan-out increases concern.
Does the source user and session context fit one bounded admin or audit source?
Focus: recovered user.id, user.name, user.domain, and winlog.event_data.TargetUserName.
Implication: escalate when privileged, service, or user-account tickets originate from a workstation, user session, or non-management tool; lower concern only when source host, user, process identity, command/parent, and target account recur as one bounded Kerberos diagnostic or audit pattern.
Do surrounding Kerberos events show repetition or account fan-out?
Focus: same-source Kerberos network and authentication events, checking additional "4768"/"4769" events and winlog.event_data.TargetUserName.
!{investigate{"description":"","label":"Kerberos network events from the same source IP","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"},{"excluded":false,"field":"source.ip","queryType":"phrase","value":"{{source.ip}}","valueType":"string"},{"excluded":false,"field":"destination.port","queryType":"phrase","value":"88","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
!{investigate{"description":"","label":"Authentication events for the same source IP","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"authentication","valueType":"string"},{"excluded":false,"field":"source.ip","queryType":"phrase","value":"{{source.ip}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
Implication: escalate when requests repeat or fan out across accounts; a single bounded request narrows scope but does not close if process identity or command intent remains suspicious. Missing network or authentication telemetry is unresolved, not benign.
Do later logon or explicit-credential events suggest ticket use?
Focus: same-source authentication results, checking later event.code "4624"/"4648", winlog.event_data.TargetUserName, and 4648 winlog.event_data.TargetServerName.
Implication: escalate when post-ticket logon or explicit-credential activity reaches sensitive accounts or servers from the same source; absence narrows impact but does not close if the ticket request remains suspicious. Missing same-source authentication telemetry leaves ticket use unresolved, not benign.
If local evidence remains suspicious or unresolved, does the same source show related alerts?
Focus: related alerts for source.ip; manually pivot on recovered process.hash.sha256 or winlog.event_data.TargetUserName when locally suspicious. !{investigate{"description":"","label":"Alerts associated with the same source IP","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"source.ip","queryType":"phrase","value":"{{source.ip}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
Implication: broaden scope when credential-access, Kerberoasting, relay, or lateral-movement alerts share the source, process, or target account; keep local only when related alerts are absent and recovered evidence resolves cleanly.
Escalate when sequence recovery, source-process identity, command intent, DC ticket target, account context, or surrounding ticket/logon activity show unauthorized direct Kerberos; close only when telemetry binds one recognized tool, source host, user, and target account and outside confirmation verifies exact activity when telemetry cannot; preserve and escalate when visibility is incomplete or evidence conflicts.

False positive analysis

AD audit tools, Kerberos diagnostics, interoperability testing, or security testing can request tickets directly instead of through "lsass.exe". Confirm only when process path, signer/hash, parent, command line, source.ip, user.id, event.code, and target account align with the same recognized tool on a dedicated admin, lab, or audit source; without outside records, require the same process identity, source host/user, target account, and bounded ticket pattern across prior alerts from this rule.
Treat partial matches as unresolved when process identity fits but the command targets unusual SPNs, privileged accounts, RC4/kerberoast behavior, or follow-on "4624"/"4648" activity. Do not close on signer, source IP, or event code alone when ticket target or command intent contradicts benign workflow.
Before creating an exception, anchor it to the minimum stable workflow: dedicated source.ip or source host, process signer/hash/path, parent workflow, user.id, target account, and bounded event.code pattern. Avoid exceptions on source.port, event.code, process name, or broad account patterns alone.

Response and remediation

If confirmed benign, reverse temporary containment and document the recovered source host/IP, process identity, command line, source user, DC ticket event, and target account that proved the recognized workflow. Create an exception only after the same dedicated source and process pattern recurs consistently.
If suspicious but unconfirmed, preserve the alert, Timeline member events, suspicious process binary and command line, source socket, DC authentication record, and any follow-on "4624" or "4648" evidence before containment or process action.
Apply reversible containment next: restrict the recovered source host’s Kerberos/DC access or isolate the host when its role tolerates isolation, and suspend the recovered process only after process and authentication artifacts are captured.
If confirmed malicious, isolate the recovered source host, terminate or suspend the recovered process after recording its process.entity_id, expire exposed Kerberos tickets where operationally appropriate, and reset or rotate impacted credentials, prioritizing privileged, service, machine, and delegation-capable accounts.
Before cleanup, search for the same source IP, recovered process hash, target account, and related credential-access, Kerberoasting, relay, or lateral-movement activity so scope is not limited to the first sequence.
After containment, retain DC "4768"/"4769" auditing and endpoint network telemetry, restrict direct Kerberos tooling to controlled admin/testing hosts, and document the recovered tool pattern and any logging gaps in the case record.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit

sequence by source.port, source.ip with maxspan=3s
 [network where host.os.type == "windows" and destination.port == 88 and
  process.executable != null and process.pid != 4 and
  not process.executable : (
        "?:\\Windows\\system32\\lsass.exe",
        "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe",
        "\\device\\harddiskvolume*\\windows\\system32\\svchost.exe"
  ) and
  not (
    process.executable : (
      "C:\\Windows\\System32\\svchost.exe",
      "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe",
      "C:\\Program Files\\Omnissa\\Horizon\\Server\\bin\\ws_TomcatService.exe",
      "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe"
    ) and
    user.id in ("S-1-5-20", "S-1-5-18")
  ) and
  source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
 [authentication where host.os.type == "windows" and event.code in ("4768", "4769")]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Pass the Ticket
- ID: T1550.003
- Reference URL: https://attack.mitre.org/techniques/T1550/003/
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Steal or Forge Kerberos Tickets
- ID: T1558
- Reference URL: https://attack.mitre.org/techniques/T1558/
Sub-technique:
- Name: Kerberoasting
- ID: T1558.003
- Reference URL: https://attack.mitre.org/techniques/T1558/003/
Sub-technique:
- Name: AS-REP Roasting
- ID: T1558.004
- Reference URL: https://attack.mitre.org/techniques/T1558/004/

« Suspicious JetBrains TeamCity Child Process Suspicious Kernel Feature Activity »