Kerberoasting : rafale de tickets TGS en RC4
Le combo event 4769 + chiffrement 0x17 (RC4) demandé en masse vers de nombreux SPN distincts en quelques minutes est la signature classique d'un kerberoasting.
Cas d'usage
Détection d'une énumération de comptes de service Active Directory avant cassage hors-ligne.
Prérequis
Elasticsearch 8.12+, audit Kerberos (4769)
SQL
FROM "logs-windows-*"
| WHERE event.code == "4769"
AND winlog.event_data.TicketEncryptionType == "0x17"
AND @timestamp >= NOW() - 24 hours
| STATS
tickets = COUNT(*),
spn_distincts = COUNT_DISTINCT(winlog.event_data.ServiceName),
debut = MIN(@timestamp),
fin = MAX(@timestamp)
BY user.name, source.ip
| EVAL fenetre_min = DATE_DIFF("minute", debut, fin)
| WHERE tickets > 20 AND spn_distincts > 10
| KEEP user.name, source.ip, tickets, spn_distincts, fenetre_min
| SORT spn_distincts DESC
| LIMIT 20Résultat
user.name | source.ip | tickets | spn_distincts | fenetre_min ----------+------------+---------+---------------+------------ t.morel | 10.2.14.88 | 87 | 84 | 3 ext-audit | 10.2.31.17 | 42 | 39 | 11 svc-scan | 10.2.0.50 | 31 | 12 | 1440
SOCKerberosActive DirectoryDétection