Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Sigma rule (View on GitHub)
1title: Kerberos Network Traffic RC4 Ticket Encryption
2id: 503fe26e-b5f2-4944-a126-eab405cc06e5
3status: test
4description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
5references:
6 - https://adsecurity.org/?p=3458
7author: sigma
8date: 2020-02-12
9modified: 2021-11-27
10tags:
11 - attack.credential-access
12 - attack.t1558.003
13logsource:
14 product: zeek
15 service: kerberos
16detection:
17 selection:
18 request_type: 'TGS'
19 cipher: 'rc4-hmac'
20 computer_acct:
21 service|startswith: '$'
22 condition: selection and not computer_acct
23falsepositives:
24 - Normal enterprise SPN requests activity
25level: medium
References
-
Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attac...
Read More
Related rules
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock