KQL Search

Query Details

HomeAI ToolsDevice Query

Kerberos Roasting Detection

Query

// Kerberos Roasting Detection 🕵️‍♀️🔥

// Built a KQL detection with the IdentityLogonEvents table to outsmart attackers. Bonus? A VIP whitelist entry: [email protected], roasting bad actors with style!🍔🤣

let WhitelistAdminAccount = dynamic(["[email protected]"]);
IdentityLogonEvents 
| where Timestamp > ago(1h)
| where Protocol == "Kerberos"
| where parse_json(AdditionalFields)["AttackTechniques"] has 'T1558.003'
| where parse_json(AdditionalFields)["EncryptionType"] has "rc4hmac"
| extend SPNs = tostring(parse_json(AdditionalFields)["Spns"])
| summarize Target_SPN=dcount(SPNs) by AccountUpn
| where not (AccountUpn has_any(WhitelistAdminAccount))
| where Target_SPN > 3

Explanation

This query is designed to detect potential Kerberos ticket attacks, specifically "Kerberos Roasting," by analyzing logon events. Here's a simple breakdown of what it does:

  1. Whitelist Setup: It defines a whitelist of VIP accounts that should be ignored in the detection. In this case, the account "[email protected]" is whitelisted.

  2. Data Source: It uses the IdentityLogonEvents table to find relevant logon events.

  3. Time Filter: It only considers events that occurred within the last hour.

  4. Protocol Filter: It focuses on events where the Kerberos protocol was used.

  5. Attack Technique Detection: It checks if the event's additional fields indicate the use of the attack technique "T1558.003," which is associated with Kerberos Roasting.

  6. Encryption Type Filter: It further filters events to those using the "rc4hmac" encryption type, which is commonly targeted in Kerberos Roasting attacks.

  7. Service Principal Names (SPNs) Extraction: It extracts the SPNs involved in the event.

  8. Summarization: It counts the distinct SPNs targeted by each user account (AccountUpn).

  9. Whitelist Exclusion: It excludes any accounts that are on the whitelist from further consideration.

  10. Suspicious Activity Detection: It flags accounts that have targeted more than three distinct SPNs, which could indicate suspicious activity.

In summary, this query is designed to identify potential Kerberos Roasting attacks by looking for unusual patterns in Kerberos logon events, while excluding known safe accounts from the analysis.

Details

Steven Lim profile picture

Steven Lim

Released: March 14, 2025

Tables

IdentityLogonEvents

Keywords

IdentityLogonEventsAccountUpnAdditionalFieldsSpnsTimestampProtocolAttackTechniquesEncryptionType

Operators

letdynamic|where>ago==parse_jsonhasextendtostringsummarizedcountbynothas_any

Actions