RC4 Kerberos Service Ticket Requests - Potential Kerberoasting

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects Kerberos service ticket requests using RC4 encryption for non-machine service accounts.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Kerberos Activity" AND (ENCRYPTIONTYPE = "0x17" AND USERNAME notendswith "$" AND SERVICENAME != "krbtgt") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.SERVICENAME,Action1.REMOTEHOST,Action1.ERRORCODE,Action1.ENCRYPTIONTYPE,Action1.GUID

Detection

Execution Mode

realtime

Log Sources

Active Directory