Kerberos attacks
Nf Ttp Generic Kerberos Attacks
Query
AlertInfo
| where Title has_any ("Successful logon using overpass-the-hash with potentially stolen credentials","Command line used for possible overpass-the-hash")About this query
Explanation
The query is looking for potential Kerberos attacks. It checks for specific alerts related to successful logon using stolen credentials and command line usage for overpass-the-hash. It also looks for potential lateral movement paths identified in IdentityDirectoryEvents and common Mimikatz and Rubeus command lines in DeviceProcessEvents.
Details

Bert-Jan Pals
Released: February 1, 2024
Tables
AlertInfoIdentityDirectoryEventsDeviceProcessEvents
Keywords
DevicesIntuneUser
Operators
has_anywhereTitleAlertInfoProjectTimestampActionTypeApplicationAccountNameAccountDomainAccountSidAccountDisplayNameDeviceNameAdditionalFieldsProcessCommandLineDeviceProcessEventsIdentityDirectoryEventssekurlsa::tickets /exportkerberos::pttptt /ticketmonitor /intervalasktgtasktgsgoldensilverkerberoastasreproastrenewbrute