This note documents detection patterns related to Timeroasting within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4768 | Kerberos TGT request | Critical | Timeroasting abuses Kerberos authentication timing differences. Review TargetUserName, IpAddress, PreAuthType, and FailureCode patterns across many usernames. |
| Security | 4771 | Kerberos pre-authentication failed | Critical | Primary indicator. Timeroasting generates many failed Kerberos preauth attempts. Review FailureCode and ClientAddress. |
| Security | 4625 | Failed logon | Medium | May appear when attackers test credentials following enumeration. |
| Security | 4688 | Process creation | High | On compromised hosts may reveal tooling performing timing-based enumeration or Kerberos probing. |
| Sysmon | 1 | Process creation | Critical | Look for enumeration tools, scripts, or unusual authentication utilities generating repeated Kerberos traffic. |
| Sysmon | 3 | Network connection | Medium | Repeated connections to domain controller Kerberos service (port 88) from unusual endpoints. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Large volume of Kerberos failures | High frequency of Event 4771 across many usernames | Critical | Timeroasting relies on repeated authentication attempts to measure timing differences. |
| Enumeration across many accounts | Same source host attempting authentication for dozens or hundreds of usernames | High | Often occurs after LDAP user enumeration. |
| Consistent failure codes | Repeated Kerberos failure codes for different usernames | Medium | Helps distinguish attack automation from normal login errors. |
| Unusual authentication source | Kerberos requests from systems not normally performing authentication enumeration | High | Often attacker foothold workstation. |
| Follow-on credential usage | Successful logons using accounts previously probed | Critical | Indicates attacker successfully cracked credentials derived from timing analysis. |
Common Tools
| Tool | Usage |
|---|---|
| Custom scripts | Attackers often implement custom timing-based Kerberos probing scripts. |
| Kerberos research tooling | Proof-of-concept tools used for timing analysis attacks. |
| Impacket libraries | Can be adapted for Kerberos enumeration attacks. |
| Python scripts | Frequently used to automate authentication timing measurements. |
Relevant Artifacts
- Domain controller Security logs (4768 and 4771)
- Endpoint process execution telemetry
- Sysmon network and process logs
- Kerberos operational logs
- PowerShell logs if enumeration performed via scripts
- Prefetch artifacts indicating execution of enumeration tools
- MFT artifacts for created scripts or tool binaries
- Network monitoring showing repeated Kerberos authentication attempts
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1110 Brute Force
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for high volumes of Security Event 4771 across many accounts.
- What host generated the event?
- Identify the source IP generating the Kerberos failures.
- Is the account expected to perform this action?
- Determine whether authentication failures correspond to legitimate login attempts.
- Pivot:
- Source host → analyze processes and scripts responsible for Kerberos probing.
- Account → check for privilege escalation attempts.
- Network → examine lateral movement following successful credential discovery.
- Confirm attack progression
- Investigate whether previously targeted accounts later show successful authentication events.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4771
| summarize FailedAttempts=count(), UniqueUsers=dcount(TargetUserName) by IpAddress, bin(TimeGenerated, 5m)
| where UniqueUsers > 20
| order by FailedAttempts desc
SecurityEvent
| where EventID == 4768
| summarize Attempts=count() by IpAddress, bin(TimeGenerated, 1m)
| where Attempts > 30
EQL
any where event.code == "4771"
| stats count(), users=cardinality(winlog.event_data.TargetUserName)
by source.ip, date_trunc(5 minutes, @timestamp)
| where users >= 20
Sigma
title: Suspicious Kerberos Authentication Failures Across Many Users
id: kerberos-timing-enumeration
status: experimental
description: Detects high volumes of Kerberos authentication failures that may indicate timing-based enumeration attacks
logsource:
product: windows
service: security
detection:
selection:
EventID: 4771
timeframe: 5m
condition: selection | count_distinct(TargetUserName) by IpAddress >= 20
fields:
- TargetUserName
- IpAddress
- FailureCode
falsepositives:
- Misconfigured authentication systems
- Password spraying attempts
level: high
tags:
- attack.credential_access
- attack.t1110
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Authentication monitoring | Alert on high volumes of Kerberos authentication failures | High | Early detection of credential probing activity. |
| Account lockout policies | Implement lockout thresholds | Medium | Limits brute-force attempts but must balance usability. |
| Kerberos logging | Enable detailed Kerberos auditing | High | Improves detection visibility. |
| Network segmentation | Restrict access to domain controllers | High | Reduces ability of compromised hosts to probe authentication services. |
| Security monitoring | Use SIEM rules to detect authentication anomalies | High | Helps correlate events across systems. |