Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Sigma rule (View on GitHub)
1title: Kerberos Network Traffic RC4 Ticket Encryption
2id: 503fe26e-b5f2-4944-a126-eab405cc06e5
3status: test
4description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
5references:
6 - https://adsecurity.org/?p=3458
7author: sigma
8date: 2020/02/12
9modified: 2021/11/27
10tags:
11 - attack.credential_access
12 - attack.t1558.003
13logsource:
14 product: zeek
15 service: kerberos
16detection:
17 selection:
18 request_type: 'TGS'
19 cipher: 'rc4-hmac'
20 computer_acct:
21 service|startswith: '$'
22 condition: selection and not computer_acct
23falsepositives:
24 - Normal enterprise SPN requests activity
25level: medium
References
Related rules
- Credentials In Files
- Possible Impacket SecretDump Remote Activity - Zeek
- Suspicious History File Operations
- Password Dumper Activity on LSASS
- Register new Logon Process by Rubeus