Microsoft Defender for Identity Alert Details
Alert ID: MDI-KERBEROAST-1558-7842 Alert Time: 2024-03-11 14:15:33 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Kerberos Service Ticket Requests – Kerberoasting” MITRE ATT&CK: T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting
Alert Details:
Detection: Unusual number of Kerberos service ticket requests (TGS-REQ) from single host
Source Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 14:00-14:15 EST
Kerberos Events:
14:00:15 – TGS-REQ for service: MSSQLSvc/sql-01.company.com:1433
14:00:45 – TGS-REQ for service: MSSQLSvc/sql-02.company.com:1433
14:01:12 – TGS-REQ for service: MSSQLSvc/sql-03.company.com:1433
14:01:38 – TGS-REQ for service: HTTP/web-01.company.com
14:02:05 – TGS-REQ for service: HTTP/web-02.company.com
14:02:33 – TGS-REQ for service: CIFS/filesrv-01.company.com
14:03:01 – TGS-REQ for service: CIFS/filesrv-02.company.com
(continuing – total 87 requests in 15 minutes)
Service Account SPNs Targeted:
SQL Service accounts (12 requests)
Web service accounts (8 requests)
File server accounts (15 requests)
Other service accounts (52 requests)
Detection Logic:
87 TGS requests in 15 minutes (highly anomalous)
User rpatel normally requests 0-2 TGS per day
Requests for multiple service accounts (not just those user needs)
Pattern matches Kerberoasting attack (requesting service tickets for offline cracking)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Kerberoasting activity
2. Process Investigation
Identify source on ENG-WS-045
CrowdStrike Falcon
PowerView script (Get-NetUser -SPN) running
3. User Interview
Contact rpatel
Teams, Phone
User did NOT run this (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
6. Service Account Audit
Review service account passwords
IT Ops
23 service accounts with weak passwords flagged
Jira Incident Report
Ticket: SOC-2024-202 Summary: T1558.003 – Kerberoasting Attack from Compromised Engineering Account Status: RESOLVED Resolution: MALICIOUS – Tickets Requested, Service Account Passwords Rotated Priority: P2 – MEDIUM Labels: T1558, kerberoasting, service-tickets, mdi, compromised-account Components: Identity-Management, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Kerberos Service Ticket Requests – Kerberoasting”.
Source Host: ENG-WS-045 (Engineering, user rpatel).
Requests: 87 TGS requests in 15 minutes.
Time: 2024-03-11 14:15 EST.
Technique: MITRE ATT&CK T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting.
2. Technical Analysis:
Attack Chain:
13:30 – rpatel account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
14:00 – Attacker runs PowerView script to enumerate SPNs
14:00-14:15 – Attacker requests TGS tickets for service accounts
14:15 – MDI detects
Kerberoasting Technique:
Goal: Request service tickets (TGS) for accounts with SPNs
Tickets are encrypted with the service account’s NTLM hash
Offline cracking: Attacker takes tickets offline, cracks passwords
Result: If successful, attacker has service account credentials
Data Obtained:
87 encrypted service tickets
Tickets for 23 unique service accounts
Tickets saved to C:\Users\rpatel\Desktop\tickets.kirbi
Service Account Password Strength:
12 accounts with weak/complex passwords (safe)
8 accounts with moderate passwords (crackable in weeks)
3 accounts with weak passwords (crackable in days) – flagged
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
14:00-14:15 – Ticket requests
14:15 – Alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Desktop\tickets.kirbi (87 tickets)
Commands:
– Get-NetUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Deleted tickets.kirbi file.
Disabled rpatel account.
Reset password.
Service Account Remediation:
Identified 23 service accounts targeted.
Rotated passwords for all 23 accounts.
Enforced strong password policy for service accounts.
Host Remediation:
Reimaged ENG-WS-045.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to perform Kerberoasting.
Contributing Factors:
No MFA on account.
Service accounts had weak passwords (some).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: 87 encrypted tickets obtained (passwords rotated).
7. Remediation & Prevention:
Completed Actions:
Tickets deleted.
Service account passwords rotated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented strong password policy for service accounts.
Enhanced monitoring for TGS requests.
Deployed managed service accounts (gMSA) where possible.
8. Conclusion:
An attacker compromised an engineering account and performed Kerberoasting, requesting 87 service tickets for offline cracking. MDI detected the anomalous TGS requests, enabling deletion of the tickets and rotation of all targeted service account passwords.
Closure Rationale: Tickets obtained but deleted; service account passwords rotated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 15:30 EST