Kerberoasting: burst of RC4 TGS tickets
The combo of event 4769 + encryption 0x17 (RC4) requested en masse against many distinct SPNs within minutes is the classic signature of kerberoasting.
Prerequisites
Elasticsearch 8.12+, audit Kerberos (4769)
SQL
FROM "logs-windows-*"
| WHERE event.code == "4769"
AND winlog.event_data.TicketEncryptionType == "0x17"
AND @timestamp >= NOW() - 24 hours
| STATS
tickets = COUNT(*),
spn_distincts = COUNT_DISTINCT(winlog.event_data.ServiceName),
debut = MIN(@timestamp),
fin = MAX(@timestamp)
BY user.name, source.ip
| EVAL fenetre_min = DATE_DIFF("minute", debut, fin)
| WHERE tickets > 20 AND spn_distincts > 10
| KEEP user.name, source.ip, tickets, spn_distincts, fenetre_min
| SORT spn_distincts DESC
| LIMIT 20Result
user.name | source.ip | tickets | spn_distincts | fenetre_min ----------+------------+---------+---------------+------------ t.morel | 10.2.14.88 | 87 | 84 | 3 ext-audit | 10.2.31.17 | 42 | 39 | 11 svc-scan | 10.2.0.50 | 31 | 12 | 1440
SOCKerberosActive DirectoryDétection