Attackers may be using stolen credentials to impersonate a user and perform lateral movement within the network, leveraging Kerberos tickets to execute an overpass-the-hash attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential privilege escalation and unauthorized access.
KQL Query
AlertInfo
| where ServiceSource =~ "Microsoft Defender for Identity"
| where Title == "Suspected overpass-the-hash attack (Kerberos)"
| extend AlertTime = Timestamp
| join
(
AlertEvidence
| where EntityType == "User"
)
on AlertId
| distinct AlertTime,AccountSid
| join kind=leftouter
(
DeviceLogonEvents
| where LogonType == "Network" and ActionType == "LogonSuccess"
| extend LogonTime = Timestamp
)
on AccountSid
| where LogonTime between (AlertTime .. (AlertTime + 2h))
| project DeviceId , AlertTime , AccountName , AccountSid
id: aeb65be9-7a40-409e-a227-56ebbcf33de4
name: ImpersonatedUserFootprint
description: |
Microsoft Defender for Identity raises alert on suspicious Kerberos ticket, pointing to a potential overpass-the-hash attack.
Once attackers gain credentials for a user with higher privileges, they will use the stolen credentials to sign into other devices and move laterally.
This query finds related sign-in events following overpass-the-hash attack to trace the footprint of the impersonated user.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertInfo
- AlertEvidence
- DeviceLogonEvents
tactics:
- Lateral movement
query: |
AlertInfo
| where ServiceSource =~ "Microsoft Defender for Identity"
| where Title == "Suspected overpass-the-hash attack (Kerberos)"
| extend AlertTime = Timestamp
| join
(
AlertEvidence
| where EntityType == "User"
)
on AlertId
| distinct AlertTime,AccountSid
| join kind=leftouter
(
DeviceLogonEvents
| where LogonType == "Network" and ActionType == "LogonSuccess"
| extend LogonTime = Timestamp
)
on AccountSid
| where LogonTime between (AlertTime .. (AlertTime + 2h))
| project DeviceId , AlertTime , AccountName , AccountSid
| Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Kerberos Authentication
Description: A scheduled job (e.g., SQLAgent or Windows Task Scheduler) runs under a service account and authenticates via Kerberos.
Filter/Exclusion: Check for known service accounts (e.g., NT SERVICE\SQLAgent, NT AUTHORITY\SYSTEM) and filter out Kerberos requests originating from scheduled tasks or system services.
Scenario: Admin Task Involving Credential Delegation
Description: An administrator uses RunAs or Invoke-Command with delegated credentials to perform maintenance on remote systems.
Filter/Exclusion: Include checks for administrative tools like RunAs, PsExec, or Invoke-Command with explicit credential delegation, and filter out Kerberos tickets associated with these commands.
Scenario: User Accessing Own Resources via Kerberos
Description: A user accesses their own resources (e.g., file shares, databases) using Kerberos authentication.
Filter/Exclusion: Filter out Kerberos tickets where the principal is the same as the user account, or where the target resource is owned by the user.
Scenario: Multi-Factor Authentication (MFA) Prompt via Kerberos
Description: A user receives an MFA prompt while authenticating via Kerberos, which may trigger a false positive.
Filter/Exclusion: Exclude Kerberos tickets that occur after an MFA challenge or during a multi-factor authentication flow.
Scenario: Domain Controller Replication via Kerberos
Description: Domain controllers use Kerberos for replication between each other, which can generate suspicious ticket activity.
Filter/Exclusion: Filter out Kerberos tickets between domain controllers (e.g., DC01 to DC02) or those associated with replication services like NTDS or `K