Windows Large Number of Computer Service Tickets Requested

name: Windows Large Number of Computer Service Tickets Requested
id: 386ad394-c9a7-4b4f-b66f-586252de20f0
version: 11
creation_date: '2023-03-21'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic detects a high volume of Kerberos service ticket requests, specifically more than 30, from a single source within a 5-minute window. It leverages Event ID 4769, which logs when a Kerberos service ticket is requested, focusing on requests with computer names as the Service Name. This behavior is significant as it may indicate malicious activities such as lateral movement, malware staging, or reconnaissance. If confirmed malicious, an attacker could gain unauthorized access to multiple endpoints, potentially compromising the entire network.
data_source:
    - Windows Event Log Security 4769
search: |-
    `wineventlog_security` EventCode=4769 ServiceName="*$" TargetUserName!="*$"
      | bucket span=5m _time
      | stats dc(ServiceName) AS unique_targets values(ServiceName) as host_targets values(dest) as dest
        BY _time, IpAddress, TargetUserName
      | where unique_targets > 30
      | `windows_large_number_of_computer_service_tickets_requested_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
references:
    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
    - https://attack.mitre.org/techniques/T1135/
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
drilldown_searches:
    - name: View the detection results for - "$IpAddress$"
      search: '%original_detection_search% | search  IpAddress = "$IpAddress$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$IpAddress$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: IpAddress
          type: system
          score: 20
          message: A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.
analytic_story:
    - Active Directory Privilege Escalation
    - Active Directory Lateral Movement
asset_type: Endpoint
mitre_attack_id:
    - T1135
    - T1078
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog
      test_type: unit