splApache-2.0from splunk/security_content
Kerberoasting spn request with RC4 encryption
The following analytic detects potential Kerberoasting attacks by identifying Kerberos service ticket requests with RC4 encryption through Event ID 4769. It leverages specific Ticket_Options values commonly used by Kerberoasting tools. This activity is significant as Kerberoasting allows attackers to request service tickets for domain accounts, typically service accounts, and crack them offline to gain privileged access. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and further compromise of the Active Directory environment.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml
`wineventlog_security` EventCode=4769 ServiceName!="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17
| stats count min(_time) as firstTime max(_time) as lastTime
BY Computer, user, service_id,
service, TicketEncryptionType, TicketOptions
| rename Computer as dest
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `kerberoasting_spn_request_with_rc4_encryption_filter`