Sentinel Timeroasting KQL Detection
Query
// Sentinel Timeroasting KQL detection
// https://github.com/SecuraBV/Timeroast
// Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer or trust account by sending an NTP request with that account's RID. This is not a problem when computer accounts are properly generated, but if a non-standard or legacy default password is set this tool allows you to brute-force those offline.
// By default, Windows checks NTP (Network Time Protocol) roughly once every hour
// Abnormal NTP connections indicate possible timeroasting activities conducted
let TimeRoastingTrigger = 3;
let NTPDeviceIPs =
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where ApplicationProtocol has "ntp"
| where ipv4_is_private(DestinationIP)
| distinct DestinationIP;
DeviceNetworkEvents
| where LocalIP has_any(NTPDeviceIPs)
| where Protocol == "Udp"
| summarize Count=count() by RemoteIP
| sort by Count desc
| where Count > TimeRoastingTrigger
// MITRE ATT&CKExplanation
This KQL query is designed to detect potential "timeroasting" activities, which exploit Windows' Network Time Protocol (NTP) authentication mechanism. Here's a simplified breakdown of what the query does:
-
Define a Trigger Threshold: The query sets a threshold (
TimeRoastingTrigger) of 3, which is used to identify suspicious activity. -
Identify NTP Device IPs:
- It looks at security logs from the past hour (
TimeGenerated > ago(1h)) to find network traffic using the NTP protocol (ApplicationProtocol has "ntp"). - It filters for private IP addresses (
ipv4_is_private(DestinationIP)) and collects a list of distinct destination IPs involved in NTP traffic.
- It looks at security logs from the past hour (
-
Analyze Network Events:
- It examines network events to find those where the local IP matches any of the identified NTP device IPs (
LocalIP has_any(NTPDeviceIPs)). - It focuses on UDP protocol traffic (
Protocol == "Udp").
- It examines network events to find those where the local IP matches any of the identified NTP device IPs (
-
Summarize and Sort:
- It counts the number of connections from each remote IP (
summarize Count=count() by RemoteIP). - It sorts these counts in descending order (
sort by Count desc).
- It counts the number of connections from each remote IP (
-
Filter Suspicious Activity:
- It filters out any remote IPs with a connection count greater than the defined threshold (
Count > TimeRoastingTrigger), indicating potential timeroasting activity.
- It filters out any remote IPs with a connection count greater than the defined threshold (
In summary, this query is looking for unusual patterns in NTP traffic that could suggest an attacker is trying to exploit weak or default passwords by requesting password hashes through NTP requests.
Details

Steven Lim
Released: December 2, 2024
Tables
CommonSecurityLogDeviceNetworkEvents
Keywords
Devices
Operators
lethasipv4_is_privatedistincthas_anysummarizecountsortdescwhere>==