Query Details
KD Cfor KRBTGT Password
Query
name: KDC for KRBTGT Password
description: |
'KDC Changes Alert when KRBTGT was changed.'
severity: High
requiredDataConnectors:
- Azure ATP
- Security Events
dataTypes:
- SecurityEvent
- Event
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
- Persistence
query: |
//KDC for KRBTGT Password
// Details: https://www.eshlomo.us/azure-sentinel-and-krbtgt/
union SecurityEvent, Event
| where TimeGenerated >= ago(5d)
| where EventID in (10,14) //KDC Reset
| where EventID == "4769" //TGT After Reset
Explanation
This query is designed to detect any changes made to the KRBTGT password in the KDC (Key Distribution Center). It looks for security events and events related to KDC resets and checks if the EventID is 4769, indicating a TGT (Ticket Granting Ticket) after a reset. The query is run every hour for a period of one hour and has a high severity level. It requires data connectors for Azure ATP and Security Events. The query is focused on the Impact and Persistence tactics.
Details
Rod Trent
Released: September 14, 2020
Tables
SecurityEventEvent
Keywords
Devices,Intune,User
Operators
unionwhereTimeGeneratedagowhereEventIDinwhereEventID