Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
Sigma rule (View on GitHub)
1title: Suspicious Kerberos RC4 Ticket Encryption
2id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
3status: test
4description: Detects service ticket requests using RC4 encryption type
5references:
6 - https://adsecurity.org/?p=3458
7 - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
8author: Florian Roth (Nextron Systems)
9date: 2017/02/06
10modified: 2022/06/19
11tags:
12 - attack.credential_access
13 - attack.t1558.003
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4769
20 TicketOptions: '0x40810000'
21 TicketEncryptionType: '0x17'
22 reduction:
23 ServiceName|endswith: '$'
24 condition: selection and not reduction
25falsepositives:
26 - Service accounts used on legacy systems (e.g. NetApp)
27 - Windows Domains with DFL 2003 and legacy systems
28level: medium
References
Related rules
- Potential CVE-2021-42278 Exploitation Attempt
- Possible Impacket GetUserSPNs Activity
- Potential CVE-2021-42287 Exploitation Attempt
- Request A Single Ticket via PowerShell
- Kerberos Network Traffic RC4 Ticket Encryption