Windows Large Number of Computer Service Tickets Requested

name: Windows Large Number of Computer Service Tickets Requested
id: 386ad394-c9a7-4b4f-b66f-586252de20f0
version: 9
date: '2026-03-10'
author: Mauricio Velazco, Splunk
type: Anomaly
status: production
data_source:
    - Windows Event Log Security 4769
description: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.
search: |-
    `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$"
      | bucket span=5m _time
      | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets values(dest) as dest
        BY _time, IpAddress, TargetUserName
      | where unique_targets > 30
      | `windows_large_number_of_computer_service_tickets_requested_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
references:
    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
    - https://attack.mitre.org/techniques/T1135/
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
drilldown_searches:
    - name: View the detection results for - "$IpAddress$"
      search: '%original_detection_search% | search  IpAddress = "$IpAddress$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$IpAddress$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.
    risk_objects:
        - field: IpAddress
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Privilege Escalation
        - Active Directory Lateral Movement
    asset_type: Endpoint
    mitre_attack_id:
        - T1135
        - T1078
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog