Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
Sigma rule (View on GitHub)
1title: Suspicious Kerberos RC4 Ticket Encryption
2id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
3status: test
4description: Detects service ticket requests using RC4 encryption type
5references:
6 - https://adsecurity.org/?p=3458
7 - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
8author: Florian Roth (Nextron Systems)
9date: 2017-02-06
10modified: 2022-06-19
11tags:
12 - attack.credential-access
13 - attack.t1558.003
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4769
20 TicketOptions: '0x40810000'
21 TicketEncryptionType: '0x17'
22 reduction:
23 ServiceName|endswith: '$'
24 condition: selection and not reduction
25falsepositives:
26 - Service accounts used on legacy systems (e.g. NetApp)
27 - Windows Domains with DFL 2003 and legacy systems
28level: medium
References
-
Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attac...
Read More -
Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length as the domain password minimum (often 10 or 12 characters long) meaning that even brute force cracking doesn’t likely take longer than the password maximum p
Read More
Related rules
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock