Skip to content

Instantly share code, notes, and snippets.

@jurelou

jurelou/KerberosCorrelation.ipynb

Forked from jsecurity101/KerberosCorrelation.ipynb
Created July 13, 2022 17:36
Show Gist options
  • Save jurelou/545b6b8a3e0a21e21d64db9029504c83 to your computer and use it in GitHub Desktop.
Save jurelou/545b6b8a3e0a21e21d64db9029504c83 to your computer and use it in GitHub Desktop.
Download ZIP
Kerberos Detection/Investigation
Display the source blob
Display the rendered blob
Raw
KerberosCorrelation.ipynb
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Raw
SplunkQuery.md

Query 1 - S4U2Self:

index=windows EventCode=4769 Ticket_Options=0x40800018 AND Failure_Code=0x0
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| eval alt_account_name=upper(mvindex(split(Account_Name,"@"),0)) 
| eval alt_service_name=upper(mvindex(Service_Name,0))
| where alt_account_name == alt_service_name
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 2 - Kerberoasting:

index=windows EventCode=4769 Service_Name!="*$" Service_Name!="krbtgt" Failure_Code ="0x0" Account_Name!="*$*"  AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000))
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 3 - AskTGT:

index=windows EventCode=4768 Ticket_Encryption_Type=0x17 ```Attacker can change encryption type```
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name, Application_Name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment