Unusual Number of Kerberos Service Tickets Requested

name: Unusual Number of Kerberos Service Tickets Requested
id: eb3e6702-8936-11ec-98fe-acde48001122
version: 12
date: '2026-03-10'
author: Mauricio Velazco, Dean Luxton, Splunk
status: production
type: Anomaly
description: The following analytic identifies an unusual number of Kerberos service ticket requests, potentially indicating a kerberoasting attack. It leverages Kerberos Event 4769 and calculates the standard deviation for each host, using the 3-sigma rule to detect anomalies. This activity is significant as kerberoasting allows adversaries to request service tickets and crack them offline, potentially gaining privileged access to the domain. If confirmed malicious, this could lead to unauthorized access to sensitive accounts and escalation of privileges within the Active Directory environment.
data_source:
    - Windows Event Log Security 4769
search: |-
    `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17
      | bucket span=2m _time
      | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category values(dest) as dest
        BY _time, user, src
      | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std
        BY user, src
      | eval upperBound=(comp_avg+comp_std*3)
      | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0)
      | search isOutlier=1
      | `unusual_number_of_kerberos_service_tickets_requested_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled.
known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
references:
    - https://attack.mitre.org/techniques/T1558/003/
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack
    risk_objects:
        - field: src
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Kerberos Attacks
    asset_type: Endpoint
    mitre_attack_id:
        - T1558.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog