investigate_pass_the_ticket_attempts.yml

name: Investigate Pass the Ticket Attempts
id: 990007ad-d798-4b29-ab2f-f0034144c937
version: 1
date: '2019-12-10'
author: Patrick Bareiss, Splunk
type: Investigation
datamodel: []
description: This search hunts for dumped kerberos ticket from LSASS memory.
search: '`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user
  "(?<new_user>[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count)
  AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where
  sum_count/max_count!=2 | rename new_user AS user '
how_to_implement: To successfully implement this search you need to be ingesting windows
  security logs. This search uses an input macro named `wineventlog_security`. We
  strongly recommend that you specify your environment-specific configurations (index,
  source, sourcetype, etc.) for Windows Security logs. Replace the macro definition
  with configurations for your Splunk environment. The search also uses a post-filter
  macro designed to filter out known false positives.
known_false_positives: ''
references: []
tags:
  analytic_story:
  - Credential Dumping
  product:
  - Splunk Phantom
  required_fields:
  - _time
  - EventCode
  - user
  - dest
  security_domain: endpoint