Detects unauthorized Kerberos ticket injection by correlating service ticket (TGS - 4769) requests with absent corresponding account logons (4624) and prior Ticket Granting Ticket (TGT - 4768) activity. Highlights anomalous service ticket generation chains involving unexpected users, hosts, or times, and suspicious injection of tickets via mimikatz-like tooling into LSASS memory. Behavior also includes network lateral movement using Kerberos authentication absent expected interactive logon patterns.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4769 |
| Active Directory Credential Request (DC0084) | WinEventLog:Security | EventCode=4768 |
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TimeWindow | Defines the correlation window between TGT request (4768) and TGS request (4769) |
| HostContextScope | Adjusts the host scoping for correlation of authentication chains and ticket injection |
| LSASSAccessAnomalyThreshold | Allows tuning of alerts for ticket injection attempts via LSASS memory access |