[New Rule] Suspicious Kerberos Ticket request

[adrianchen-es]

Description

Elastic should have a rule to detect successful Kerberos service ticket (TGS) requests (event ID 4769) where the ticket encryption type is RC4-HMAC (0x17). RC4-encrypted TGS tickets are commonly targeted in Kerberoasting attacks for offline password cracking of service accounts. Machine account requests are excluded to reduce noise.

Target Ruleset

windows

Target Rule Type

Event Correlation (EQL)

Tested ECS Version

No response

Query

any where event.category: "authentication" and event.code: "4769" and winlog.event_data.Status: "0x0" and winlog.event_data.TicketEncryptionType: "0x17" and not winlog.event_data.ServiceName regex~ ".*\\$"

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

[adrianchen-es]

Potential TOML for the rule

# Suspicious Kerberos Ticket request (RC4 TGS / 4769)
[metadata]
creation_date = "2025/12/09"
integration = ["windows"]
maturity = "production"
updated_date = "2025/12/09"

[rule]
version = 1
rule_id = "suspicious-kerberos-rc4-tgs-request"
name = "Suspicious Kerberos Ticket request"
description = """
Detects successful Kerberos service ticket (TGS) requests (event ID 4769) where the ticket encryption type is RC4-HMAC (0x17).
RC4-encrypted TGS tickets are commonly targeted in Kerberoasting attacks for offline password cracking of service accounts.
Machine account requests are excluded to reduce noise.
"""
author = ["adrianchen-es"]
from = "now-9m"
risk_score = 47
severity = "medium"
enabled = true
license = "Elastic License v2"
false_positives = [
  "Legacy applications that still require RC4 for Kerberos service ticket requests.",
  "Service accounts for which RC4 is intentionally enabled and heavily used by known application servers."
]
tags = [
  "Domain: Active Directory",
  "OS: Windows",
  "Use Case: Threat Detection",
  "Tactic: Credential Access",
  "Technique: Steal or Forge Kerberos Tickets",
  "Sub-technique: Kerberoasting",
  "Data Source: Windows Security Event Logs"
]
# -----------------------------------------------------------------------------
# Query section
# -----------------------------------------------------------------------------
[rule.query]
language = "eql"
indices = [
  "logs-windows.security*",
  "winlogbeat-*"
]
# Example KQL targeting 4769 + RC4 TGS + success outcome
# and excluding machine accounts (ending with $).
query = """
any where event.category: "authentication" and event.code: "4769" and winlog.event_data.Status: "0x0" and winlog.event_data.TicketEncryptionType: "0x17" and not winlog.event_data.ServiceName regex~ ".*\\$"
"""
# -----------------------------------------------------------------------------
# MITRE ATT&CK mapping
# -----------------------------------------------------------------------------
[[rule.threat]]
framework = "MITRE ATT&CK"
  [[rule.threat.tactic]]
  id = "TA0006"
  name = "Credential Access"
  reference = "https://attack.mitre.org/tactics/TA0006/"
    [[rule.threat.tactic.technique]]
    id = "T1558"
    name = "Steal or Forge Kerberos Tickets"
    reference = "https://attack.mitre.org/techniques/T1558/"
      [[rule.threat.tactic.technique.subtechnique]]
      id = "T1558.003"
      name = "Kerberoasting"
      reference = "https://attack.mitre.org/techniques/T1558/003/"