Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Sigma rule (View on GitHub)

 1title: Kerberos Network Traffic RC4 Ticket Encryption
 2id: 503fe26e-b5f2-4944-a126-eab405cc06e5
 3status: test
 4description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
 5references:
 6    - https://adsecurity.org/?p=3458
 7author: sigma
 8date: 2020/02/12
 9modified: 2021/11/27
10tags:
11    - attack.credential_access
12    - attack.t1558.003
13logsource:
14    product: zeek
15    service: kerberos
16detection:
17    selection:
18        request_type: 'TGS'
19        cipher: 'rc4-hmac'
20    computer_acct:
21        service|startswith: '$'
22    condition: selection and not computer_acct
23falsepositives:
24    - Normal enterprise SPN requests activity
25level: medium

References

Related rules

to-top