/
windows_powerview_kerberos_service_ticket_request.yml
67 lines (67 loc) · 2.92 KB
/
windows_powerview_kerberos_service_ticket_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Windows PowerView Kerberos Service Ticket Request
id: 970455a1-4ac2-47e1-a9a5-9e75443ddcb9
version: 1
date: '2022-06-22'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the execution of the `Get-DomainSPNTicket` commandlets with specific
parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform
enumeration and discovery on Windows Active Directory networks. As the name suggests,
this commandlet is used to request the kerberos ticket for a specified service principal
name (SPN). Once the ticket is received, it may be cracked using password cracking
tools like hashcat to extract the password of the SPN account. Red Teams and adversaries
alike may leverage PowerView and these commandlets to identify accounts that can
be attacked with the Kerberoasting technique.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats
count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_powerview_kerberos_service_ticket_request_filter`'
how_to_implement: The following analytic requires PowerShell operational logs to be
imported. Modify the powershell macro as needed to match the sourcetype or add index.
This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: False positive may include Administrators using PowerView for
troubleshooting and management.
references:
- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainSPNTicket/
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
- https://attack.mitre.org/techniques/T1558/003
tags:
analytic_story:
- Active Directory Kerberos Attacks
- Rhysida Ransomware
asset_type: Endpoint
confidence: 90
impact: 30
message: PowerView commandlets used for requesting SPN service ticket executed on
$dest$
mitre_attack_id:
- T1558
- T1558.003
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Computer
- ScriptBlockText
risk_score: 27
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog