SigmaHQ/rules/windows/builtin/win_susp_rc4_kerberos.yml

title: Suspicious Kerberos RC4 Ticket Encryption
status: experimental
references:
    - https://adsecurity.org/?p=3458
    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
tags:
    - attack.credential_access
    - attack.t1208
description: Detects service ticket requests using RC4 encryption type
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        TicketOptions: '0x40810000'
        TicketEncryptionType: '0x17'
    reduction:
        - ServiceName: '$*'
    condition: selection and not reduction
falsepositives:
    - Service accounts used on legacy systems (e.g. NetApp)
    - Windows Domains with DFL 2003 and legacy systems
level: medium
Rew rule examples: RC4 Kerberos, JAVA remote debugging process 2017-02-06 19:03:42 +00:00			`title: Suspicious Kerberos RC4 Ticket Encryption`
			`status: experimental`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://adsecurity.org/?p=3458`
Added reference to Kerberos RC4 rule 2018-03-25 21:18:22 +00:00			`- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`tags:`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`- attack.credential_access`
			`- attack.t1208`
fix: more duplicate 'tag' keys in rules 2018-09-04 14:15:02 +00:00			`description: Detects service ticket requests using RC4 encryption type`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: security`
Rew rule examples: RC4 Kerberos, JAVA remote debugging process 2017-02-06 19:03:42 +00:00			`detection:`
			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID: 4769`
			`TicketOptions: '0x40810000'`
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename 2018-03-26 20:53:38 +00:00			`TicketEncryptionType: '0x17'`
Rew rule examples: RC4 Kerberos, JAVA remote debugging process 2017-02-06 19:03:42 +00:00			`reduction:`
			`- ServiceName: '$*'`
			`condition: selection and not reduction`
			`falsepositives:`
			`- Service accounts used on legacy systems (e.g. NetApp)`
			`- Windows Domains with DFL 2003 and legacy systems`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: medium`