Possible Impacket GetUserSPNs Activity
Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type.
Sigma rule (View on GitHub)
1title: Possible Impacket GetUserSPNs Activity
2id: 73822599-97d8-411f-8ee1-e57ecac118c7
3status: experimental
4description: Detects attempts to create vulnerable Kerberos Ticket Granting Service (TGS) tickets using the RC4-HMAC encryption type.
5references:
6 - https://www.blackhillsinfosec.com/impacket-defense-basics-with-an-azure-lab/
7 - https://github.com/fortra/impacket/blob/impacket_0_10_0/examples/GetUserSPNs.py
8author: Micah Babinski
9date: 2023/04/13
10tags:
11 - attack.s0357
12 - attack.credential_access
13 - attack.t1558
14 - attack.t1558.003
15logsource:
16 product: zeek
17 service: kerberos
18detection:
19 selection:
20 cipher: 'rc4-hmac'
21 request_type: 'TGS'
22 success: true
23 condition: selection
24fields:
25 - id.orig_h
26 - client
27 - service
28falsepositives:
29 - Unknown
30level: low```
References
-
Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […]
Read More -
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Potential CVE-2021-42287 Exploitation Attempt
- Mimikatz Kirbi File Creation
- Request A Single Ticket via PowerShell
- Kerberos Network Traffic RC4 Ticket Encryption
- Impacket AtExec Process Activity