Detectionmediumtest

Kerberos Network Traffic RC4 Ticket Encryption

Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

sigmaCreated Wed Feb 12Updated Sat Nov 27503fe26e-b5f2-4944-a126-eab405cc06e5network

Log Source

Zeek (Bro)kerberos

ProductZeek (Bro)← raw: zeek

Servicekerberos← raw: kerberos

Detection Logic

detection:
    selection:
        request_type: 'TGS'
        cipher: 'rc4-hmac'
    computer_acct:
        service|startswith: '$'
    condition: selection and not computer_acct

False Positives

Normal enterprise SPN requests activity

References

Resolving title…

adsecurity.org

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1558.003 · Kerberoasting

Rule Metadata

Rule ID

503fe26e-b5f2-4944-a126-eab405cc06e5

Status

test

Level

medium

Type

Detection

Created

Wed Feb 12

Modified

Sat Nov 27

Author

sigma

Path

rules/network/zeek/zeek_susp_kerberos_rc4.yml

Raw Tags

attack.credential-accessattack.t1558.003

View on GitHub