splApache-2.0from splunk/security_content
Kerberos Service Ticket Request Using RC4 Encryption
The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml
`wineventlog_security` EventCode=4769 ServiceName="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, service, service_id,
TicketEncryptionType, TicketOptions
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `kerberos_service_ticket_request_using_rc4_encryption_filter`