Query Details

Kerberos attacks

Nf Ttp Generic Kerberos Attacks

Query

AlertInfo 
| where Title has_any ("Successful logon using overpass-the-hash with potentially stolen credentials","Command line used for possible overpass-the-hash")

About this query

Explanation

The query is looking for potential Kerberos attacks. It checks for specific alerts related to successful logon using stolen credentials and command line usage for overpass-the-hash. It also looks for potential lateral movement paths identified in IdentityDirectoryEvents and common Mimikatz and Rubeus command lines in DeviceProcessEvents.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 1, 2024

Tables

AlertInfoIdentityDirectoryEventsDeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

has_anywhereTitleAlertInfoProjectTimestampActionTypeApplicationAccountNameAccountDomainAccountSidAccountDisplayNameDeviceNameAdditionalFieldsProcessCommandLineDeviceProcessEventsIdentityDirectoryEventssekurlsa::tickets /exportkerberos::pttptt /ticketmonitor /intervalasktgtasktgsgoldensilverkerberoastasreproastrenewbrute

Actions

GitHub