Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

12 alerts match the current filters. technique: T1558 ✕

Show ATT&CK heatmap
  • A user received multiple weakly encrypted service tickets Informational Identity Analytics 1 variation

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of weakly encrypted service tickets to a user

    Low overridden

    A user received multiple weakly encrypted service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user requested multiple service tickets Informational Identity Analytics 1 variation

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Abnormal issuance of service tickets to a user

    Low overridden

    A user requested multiple service tickets. This is typically a sign of a Kerberoasting attack. overridden

  • A user sent multiple TGT requests to irregular service Low Identity Analytics 2 variations

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    A user sent an excessive number of TGT requests to irregular services

    Medium overridden

    A user sent multiple TGT requests to services other than KRBTGT and KADMIN. This is typically a sign of a Kerberoasting attack. overridden

    A user sent a TGT request to irregular service

    Informational overridden

    A user sent a TGT request to a service other than KRBTGT and KADMIN. This might indicate an attempt to perform a Kerberoasting attack. overridden

  • Discovery of accounts with pre-authentication disabled via LDAP Low Identity Analytics 1 variation

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007) Credential Access (TA0006)
    ATT&CK techniques: Account Discovery (T1087) Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: LDAP Analytics (Server), LDAP Analytics (Client)
    Attacker's goals: An attacker is attempting to enumerate Active Directory.
    Investigative actions: Check if the process executes LDAP search queries as part of its normal behavior. Investigate the LDAP search query for any suspicious indicators. Correlate logs from the same host or user for related LDAP queries or other unusual activities. Audit accounts flagged as not requiring pre-authentication and verify compliance with security policies. Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.

    Variations

    Suspicious discovery of accounts without pre-authentication required via LDAP

    Medium overridden

    A possible discovery of accounts without pre-authentication required via LDAP was performed. Such enumeration may be used during attacks against the organization. overridden

  • Multiple TGT requests for users without Kerberos pre-authentication Informational Identity Analytics 2 variations

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: Windows Event Collector XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    An excessive number of TGT requests were sent for users that do not require Kerberos pre-authentication

    Low overridden

    Multiple TGT requests for users that do not require Kerberos pre-authentication were observed. This is typically a sign of an AS-REP attack. overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication

    Informational overridden

    A TGT request was sent for a user who does not require Kerberos pre-authentication. This might indicate an AS-REP attack. overridden

  • Multiple Weakly-Encrypted Kerberos Tickets Received Low

    A user accessed a number of services associated with user accounts in the 10 minutes leading to the alert, generating a number of weakly encrypted Kerberos TGS (ticket granting service) tickets that is significantly larger than the number of weakly encrypted TGS tickets received by that user in the 30 days leading to the alert.Services associated with user accounts are a common target for Kerberoasting due to default weak encryption.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Hour
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining easy-to-crack Kerberos tickets.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool accessing those services.
  • Possible AS-REP Roasting Attack Medium Identity Analytics 1 variation

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: AS-REP Roasting (T1558.004)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert, to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    AS-REP Roasting Attack

    High overridden

    A user enumerated all accounts that don't require pre-authentication in the organization and specifically requested tickets for those accounts. This is typically a sign of an AS-REP Roasting attack. overridden

  • Possible Kerberoasting attack Medium Identity Analytics 1 variation

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: XDR Agent XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Kerberoasting attack

    High overridden

    A user enumerated all service principals in the organization and specifically requested weak and deprecated encryption in a ticket request. This is typically a sign of a Kerberoasting attack. overridden

  • Possible Kerberoasting without SPNs Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack service account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Possible Kerberoasting without SPNs on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes, and is typically a sign of a Kerberoasting attack. The requested service was specified by using a suspicious SPN type, which is often used by Kerberoasting tools to request by SAN instead of SPN. overridden

  • Suspicious LDAP queries followed by shared folder access Low

    The user executed suspicious LDAP queries shortly before accessing a shared folder.This behavior may be indicative of Rubeus activity involving Kerberos ticket forgery, such as Golden Ticket or Silver Ticket attacks.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An attacker may use LDAP based account discovery and a forged Kerberos ticket (e.g. Silver Ticket) to access shared resources and collect sensitive data.
    Investigative actions: Review the LDAP query content to determine if it targets privileged groups (e.g., Domain Admins) or sensitive objects. Correlate the shared folder path with sensitive file shares (e.g., SYSVOL, NETLOGON, backup shares). Check if the IP address {ip_address} is associated with known administrative systems or unusual user behavior. Determine if Rubeus or other Kerberos abuse tools were used based on timing, patterns, or command line artifacts. Inspect for potential Silver Ticket or Golden Ticket activity by reviewing Kerberos ticket logs and security events. Verify if the user account had prior suspicious authentication events or privilege escalation.
  • Suspicious setspn.exe execution Low

    A Service Principal Name (SPN) is a unique identifier for a service, mapped to a specific account. Setspn.exe can be used to retrieve SPN information, which may indicate an attacker's attempt to "Kerberoast".

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets (T1558)
    Required data: XDR Agent
    Attacker's goals: Retrieving SPN information to perform related attacks like 'Kerberoast'.
    Investigative actions: Investigate the user who executed setspn.exe and find out if the act was malicious.
  • Weakly-Encrypted Kerberos Ticket Requested Low 1 variation

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    30 Days
    ATT&CK tactics: Credential Access (TA0006)
    ATT&CK techniques: Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: Crack account credentials by obtaining an easy-to-crack Kerberos ticket.
    Investigative actions: Check who used the host at the time of the alert to rule out a benign service or tool requesting weak Kerberos encryption.

    Variations

    Weakly-Encrypted Kerberos Ticket Requested on a sensitive server

    Medium overridden

    A user specifically requested weak and deprecated encryption in a Kerberos TGS request. This provides easy-to-crack hashes and is typically a sign of a Kerberoasting attack. This action occurred on a sensitive server, which may indicate a malicious activity. overridden