SigmaHQ/rules/windows/builtin/win_susp_kerberos_manipulation.yml

title: Kerberos Manipulation
description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
author: Florian Roth
tags:
    - attack.credential_access
    - attack.t1212
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
          - 675
          - 4768
          - 4769
          - 4771
        FailureCode:
          - '0x9'
          - '0xA'
          - '0xB'
          - '0xF'
          - '0x10'
          - '0x11'
          - '0x13'
          - '0x14'
          - '0x1A'
          - '0x1F'
          - '0x21'
          - '0x22'
          - '0x23'
          - '0x24'
          - '0x26'
          - '0x27'
          - '0x28'
          - '0x29'
          - '0x2C'
          - '0x2D'
          - '0x2E'
          - '0x2F'
          - '0x31'
          - '0x32'
          - '0x3E'
          - '0x3F'
          - '0x40'
          - '0x41'
          - '0x43'
          - '0x44'
    condition: selection
falsepositives:
    - Faulty legacy applications
level: high
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`title: Kerberos Manipulation`
			`description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1212`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: security`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID:`
			`- 675`
			`- 4768`
			`- 4769`
			`- 4771`
			`FailureCode:`
			`- '0x9'`
			`- '0xA'`
			`- '0xB'`
			`- '0xF'`
			`- '0x10'`
			`- '0x11'`
			`- '0x13'`
			`- '0x14'`
			`- '0x1A'`
			`- '0x1F'`
			`- '0x21'`
			`- '0x22'`
			`- '0x23'`
			`- '0x24'`
			`- '0x26'`
			`- '0x27'`
			`- '0x28'`
			`- '0x29'`
			`- '0x2C'`
			`- '0x2D'`
			`- '0x2E'`
			`- '0x2F'`
			`- '0x31'`
			`- '0x32'`
			`- '0x3E'`
			`- '0x3F'`
			`- '0x40'`
			`- '0x41'`
			`- '0x43'`
			`- '0x44'`
Renamed rule files, new rules 2017-02-10 18:17:02 +00:00			`condition: selection`
			`falsepositives:`
			`- Faulty legacy applications`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`