mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
rule: zeek suspicious kerberos RC4 traffic
This commit is contained in:
james dickenson
parent
7a5587f14d
commit
93367d725d
22
rules/network/zeek_susp_kerberos_rc4.yml
Normal file
22
rules/network/zeek_susp_kerberos_rc4.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
title: Suspicious kerberos network traffic RC4 ticket encryption
|
||||||
|
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
|
||||||
|
status: experimental
|
||||||
|
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
|
||||||
|
references:
|
||||||
|
- https://adsecurity.org/?p=3458
|
||||||
|
tags:
|
||||||
|
- attack.credential_access
|
||||||
|
- attack.t1208
|
||||||
|
logsource:
|
||||||
|
product: zeek
|
||||||
|
service: kerberos
|
||||||
|
detection:
|
||||||
|
selection:
|
||||||
|
request_type: 'TGS'
|
||||||
|
cipher: 'rc4-hmac'
|
||||||
|
computer_acct:
|
||||||
|
service: '$*'
|
||||||
|
condition: selection and computer_acct
|
||||||
|
falsepositives:
|
||||||
|
- normal enterprise SPN requests activity
|
||||||
|
level: medium
|
||||||
Loading…
Reference in New Issue
Block a user